#13579: Python sys.path security risk
-------------------------------------------------------+--------------------
Reporter: vbraun | Owner: mvngu
Type: defect | Status:
needs_review
Priority: blocker | Milestone:
sage-5.4
Component: doctest | Resolution:
Keywords: | Work issues:
Report Upstream: Reported upstream. No feedback yet. | Reviewers: Volker
Braun, Jeroen Demeyer
Authors: Jeroen Demeyer, Volker Braun | Merged in:
Dependencies: | Stopgaps:
-------------------------------------------------------+--------------------
Comment (by jdemeyer):
Replying to [comment:51 nbruin]:
> Case (B): (current dir group writeable) - It's perfectly safe to make
directories group writeable, provided the group is sufficiently
restricted. In fact, it's a very conceivable setup if you have multiple
administrators that you want to give a lot of latitude, short of root
(e.g., because your filesystem is NFS with root-squash)
Then it's likely that ''both'' the Python script and the directory
containing it are group-writable by the same group, which is allowed by my
patch.
> Case (C): (current dir only user writable but by different UID): That's
how I install packages like sage! Because they need frequent updates,
they're not owned by root but by a dedicated maintenance account.
My patch allows a directory owned by the same user as the Python
executable. In fact, I precisely had this scenario in mind, that's why I
added this check.
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13579#comment:52>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
