[Python-Dev] PEP 3147, __pycache__ directories and umask

[Russell E. Owen]

In article <4BA80418.6030905 at canterbury.ac.nz>,
 Greg Ewing <greg.ewing at canterbury.ac.nz> wrote:

> Antoine Pitrou wrote:
> 
> > In light of this issue, I'm -0.5 on __pycache__ becoming the default 
> > caching
> > mechanism. The directory ownership/permissions issue is too much of a mess,
> > especially for Web applications (think __pycache__ files created by the 
> > Apache
> > user).
> 
> Doesn't the existing .pyc mechanism have the same problem? Seems
> to me it's just as insecure to allow the Apache user to create
> .pyc files, since an attacker could overwrite them with arbitrary
> bytecode.
> 
> The only safe way is to pre-compile under a different user and
> make everything read-only to Apache. The same thing would apply
> under the __pycache__ regime.

This does sound like a bit security hole both in existing Python and the 
new __pycache__ proposed mechanism. It seems like this is the time to 
address it, while changing the caching mechanism.

If .pyc files are to be shared, it seems essential to (by default) 
generate them at install time and make them read-only for unprivileged 
users.

This in turn implies that we may have to give up some support for 
dragging python modules into site-packages, e.g. not generate .pyc files 
for such modules. At least if we go that route it will mostly affect 
power users, who can presumably cope.

-- Russell