Michael wrote:
> I still see it as a question of usability rather than security. (I'm
> honestly not sure how creating a writable directory is a security
> issue?) If the default install location of IronPython makes installing
> and using Python packages with IronPython impossible for non-elevated
> users then that is an extreme misfeature.
This is the security problem. Let's say I, a normal user, goes into
C:\Python26\Lib\site-packages and creates or modifies sitecustomize.py.
In sitecustomize.py I add some code like:
import os
if os.environ['USERNAME'] == 'Administrator':
# install malware here, set myself as an administrator, format C,
# etc...
pass
Now I just sit back and wait for an administrator to start some program
which relies on Python. I now have full control of a machine which I was
originally only granted normal user access on.
_______________________________________________
Users mailing list
[email protected]
http://lists.ironpython.com/listinfo.cgi/users-ironpython.com
