[Python-Dev] sudo security hole w/ potential Python connection
Guido van Rossum
guido at python.org
Tue Jan 10 19:31:16 CET 2006
Methinks anyone using sudo to allow non-root-users to execute specific
scripts without giving them full root perms is relying on security by
obscurity at this point. (Ditto for setuid Python scripts BTW.)
--Guido
On 1/10/06, skip at pobox.com <skip at pobox.com> wrote:
>
> Got this from a Google alert overnight. It's not really a Python problem
> (it's a sudo problem), but it's probably not a bad idea to understand the
> implications.
>
> >> SUDO Python Environment Cleaning Privilege Escalation ...
> >> Secunia - UK
> >> ... This can be exploited by a user with sudo access to a python script
> >> to gain access to an interactive python prompt via the "PYTHONINSPECT"
> >> environment variable ...
> >> <http://secunia.com/advisories/18358/>
>
> Skip
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/guido%40python.org
>
--
--Guido van Rossum (home page: http://www.python.org/~guido/)
More information about the Python-Dev
mailing list