On 30 May 2019, at 01:49, Steven D'Aprano <steve@pearwood.info> wrote:
On Wed, May 29, 2019 at 10:22:31PM +0100, Barry wrote:
Serhiy, I think, is conflating two things. 1. How to write software robust aginst attack. 2. How to replace a symlink atomically.
I don't have an opinion on whether Serhiy is right or wrong.
The only reason 1 is a problem is that the application is not in control of its file space which I would suggest means you already lost.
I think the OP wants a soution to 2,
In the bug report Tom linked to initially:
https://bugs.python.org/issue36656
he clearly references an attacker overwriting the file, rather than an accidental overwrite. So I think #1 is relevant -- except that Serhiy makes a good point that atomicity doesn't solve #1.
I admit to a preference for atomic file operations where possible. Atomic operations are generally better, because they either succeed or fail, they don't half succeed and leave detritus lying around that you have to clean up. That's a good thing.
No offense intended to Serhiy... I don't know why the concept is so controversial. I feel that had a core dev just gone ahead and implemented this behaviour either in shutils or os.symlink, nobody would have objected and asked for it to be removed. Its only because Tom has to (a) ask permission and (b) discuss the design first that are we having the debate.
Making things atomic may not be a solution to every problem, but nor is it harmful and something we want to avoid. I can understand Serhiy saying "I don't care to implement this myself, and I won't review the PR, let somebody else do it" but I'm not sure why he is objecting to a volunteer willing to do the job.
But since Serhiy has objected, Tom has to respond to those objections. Serhiy is one of the most productive and most respected of the core devs, and right or wrong he cannot be ignored.
Sorry, I should have checked back on the OP report, not relied on my memory. Serhiy is right that atomic rename will not fix all security problems. Designing secure software takes a lot of analysis. As you say the atomic rename is valuable in its own right. I'd not put it in os as a implementation based on ln -sf would not be trivial and I think better fits in shutil. Barry
-- Steven _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/