[IronPython] Default install location and site-packages
Jeff Hardy
jdhardy at gmail.com
Wed Oct 7 00:47:47 CEST 2009
On Tue, Oct 6, 2009 at 11:53 AM, Giles Thomas
<giles.thomas at resolversystems.com> wrote:
> Michael Foord wrote:
>>
>> (I'm honestly not sure how creating a writable directory is a security
>> issue?)
>
> I suspect people are thinking of an attack where an untrusted user installs
> a package that looks like a normal one, but actually does something
> nefarious like install a rootkit (and perhaps does what the package is meant
> to do as well). If the administrator then uses the package, the machine is
> compromised.
Exactly. And Python doesn't have codesigning or such to prevent such an attack.
For desktops it might not seem like a big deal, but for servers it's
an absolute disaster. It's better if it's not even possible.
- Jeff
More information about the Ironpython-users
mailing list