[Python-Dev] PEP 594: update 1
Christian Heimes
christian at python.org
Tue May 21 14:34:18 EDT 2019
On 21/05/2019 20.18, Giampaolo Rodola' wrote:
> No, the statement is correct. I may have to explain this even further.
>
> The approach in pyftpdlib is the wrong and IMO deserves a CVE. The crypt() + spwd() approach is flawed on multiple levels. For example it bypasses account restriction, access control, and login session. It also requires you to run the service as root and with SELinux disabled or an unconfined context -- a bad combination. There is only one correct way to perform a credential check: use PAM.
>
> spwd can't be fixed. It could only be replaced with a completely different API that wraps PAM and Windows's authentication API.
>
> Christian
>
> PS: Authentication, authorization, and identity management are part of my day job at Red Hat.
>
>
> Got it. I had no idea. Since you mentioned the CVE it looks like spwd/crypt doc deserve a warning. This is probably out of the scope of the PEP, but I wonder if the 3 third-party alternatives mentioned in the PEP are mature enough and could be evaluated for stdlib inclusion (the part re. PAM / password-checking at least). Perhaps spwd/crypt could be deprecated in 3.8 and the alternative added in 3.9 before the 3.10 removal.
Sorry, I didn't even occur to me that anybody was still using spwd. I would have added a warning much earlier. There is now https://bugs.python.org/issue36997 to track the problem.
Could you do me a favor and open a feature request?
More information about the Python-Dev
mailing list