[Python-Dev] PEP 370, open questions
Christian Heimes
lists at cheimes.de
Thu Jan 17 13:09:34 CET 2008
Jean-Paul Calderone wrote:
> If it should, I think the PEP should explain the attack this defends
> against in more detail. The current brief mention of "security issues"
> is a bit hand-wavey. For example, what is the relationship between
> security, this feature, and the PYTHONPATH environment variable? Isn't
> the attack of putting malicious code into a user site-packages directory
> the same as the attack of putting it into a directory in PYTHONPATH?
The PYTHONPATH env var has the same security implications. However a
user has multiple ways to avoid problems. For example the user can use
the -E flag or set up sudo to ignore the environment.
The uid and gid tests aren't really required. They just provide an extra
safety net if a user forgets to add the -s flag to a suid app.
Christian
More information about the Python-Dev
mailing list