[Pythonmac-SIG] permissions on packages
bthom at cs.hmc.edu
Mon Dec 11 07:09:16 CET 2006
I'm writing to seek a better understanding of how permissions should
work in python on the Mac.
Out-of-the-MacPython-2.4-install box, files in /Library/Frameworks/
Python.framework/Versions/2.4/lib/python2.4 have permissions like these:
-rw-rw-r-- 1 root admin 26255 Oct 18 01:39 zipfile.py
-rw-rw-r-- 1 root admin 18931 Dec 6 22:14 zipfile.pyc
-rw-rw-r-- 1 root admin 18931 Dec 6 22:14 zipfile.pyo
In the site-packages directory, packages I installed (via
macpython.com, e.g. numpy, Numeric, matplotlib, etc) have permissions
drwxrwxr-x 41 501 admin 1394 Jul 5 20:11 Numeric/
drwxrwxr-x 157 501 admin 5338 Dec 9 20:57 matplotlib/
drwxr-xr-x 130 root admin 4420 Dec 7 04:39 numarray/
drwxrwxr-x 47 501 admin 1598 Oct 27 16:54 numpy/
drwxrwxr-x 6 501 admin 204 Oct 27 16:54 numpy-1.0-py2.4.egg-
-rw-rw-r-- 1 501 admin 31 Oct 26 06:26 pylab.py
-rw-rw-r-- 1 501 admin 205 Oct 30 10:15 pylab.pyc
-rw-rw-r-- 1 501 admin 205 Oct 30 10:15 pylab.pyo
drwxrwxr-x 43 501 admin 1462 Sep 17 18:04 scipy/
drwxrwxr-x 6 501 admin 204 Sep 17 18:04 scipy-0.5.1-
drwxr-xr-x 10 bthom admin 340 Dec 7 01:33 setuptools-0.6c3-
-rw-r--r-- 1 bthom admin 29 Dec 7 01:33 setuptools.pth
drwxrwxr-x 4 root admin 136 Jul 15 16:03 wx-2.6-mac-unicode/
-rw-r--r-- 1 root admin 18 Jul 15 16:03 wx.pth
drwxr-xr-x 4 root admin 136 Jul 15 16:03 wxaddons/
-rw-r--r-- 1 root admin 17813 Jan 20 2006 wxversion.py
Is there a reason why these packages have owner 501? And is there a
reason why group have read access? I'd have thought the best way to
install something that are supposed to work as-is would be to have
root as owner, giving sole write permissions to owner. (Then to
modify something, you'd have to sudo).
I'm beginning to realize its not that simple. For instance, the first
time I (w/admin privs) try and edit a file (e.g. zipfile.py),
TextEdit asks if I'd like to overwrite the permissions on save.
Saying yes overwrites the file. The disturbing thing is that on
future opens (even after TextEdit's been closed) I am no longer
asked; overwriting saves occur automatically. Fortunately, when I
created another user w/o admin permissions, overwriting when logged
in as this less priv'd user didn't seem to be an option.
...but I'd like to protect against myself (this is esp. true b/c I
use ipython w/in xemacs w/%pdb on, so I'm often dumped into the
editor w/a file like bpd.py).
Some more poking in a package directory (e.g. matplotlib) shows
-rw-rw-r-- 1 root admin 40789 Oct 26 09:30 __init__.py
-rw-r--r-- 1 bthom admin 39389 Dec 10 21:02 __init__.pyc
-rw-rw-r-- 1 root admin 30134 Oct 30 10:15 __init__.pyo
What's interesting here is that pyc is owned by me (perhaps b/c it
was compiled via my first call to __init__.py). However, I'm pretty
sure what I installed off macpython.com was binarys---so there should
be no need to compile the files, right? Again, I (perhaps naively)
would feel better if all of these files were owned by root (and that
only root could override them).
Security issues become even more important as students will be using
python/ipython from the same machine.
Perhaps I'm missing something really basic (would a Finder view to
permissions provide better control?). Or perhaps the ability to not
protect as tightly against myself as admin as I'd have liked is a
What have others done wrt this issue?
More information about the Pythonmac-SIG