[Python-Dev] Extending startup code: PEP needed?

M.-A. Lemburg mal@lemburg.com
Mon, 08 Jan 2001 21:38:00 +0100

Guido van Rossum wrote:
> > Still, wouldn't it be wise to add some logic to Python to prevent
> > importing untrusted modules, e.g. by making sys.path read-only and
> > disabling the import hook usage using a command line ?
> >
> > This would at least prevent the most obvious attacks. I wonder how
> > RedHat works around these problems.
> I don't understand what kind of attacks you are thinking of.  What
> would making sys.path read-only prevent?  You seem to be thinking that
> some malicious piece of code could try to subvert you by setting
> sys.path.  But what you forget is that if this piece of code cannot be
> trusted wiuth sys.path, it should not be trusted to run at all!

I was thinking an attack where knowledge of common temporary
execution locations is used to trick Python into executing
untrusted code -- the untrusted code would only have to be
copied to the known temporary execution directory and then
gets executed by Python next time the program using the temporary
location is invoked.

But you're right: this is possible with and without sys.path being
writeable or not.

Marc-Andre Lemburg
Company:                                        http://www.egenix.com/
Consulting:                                    http://www.lemburg.com/
Python Pages:                           http://www.lemburg.com/python/