[Python-Dev] PEP 594: Removing dead batteries from the standard library

Christian Heimes christian at python.org
Thu May 23 01:44:24 EDT 2019

On 23/05/2019 02.58, Steven D'Aprano wrote:
> On Wed, May 22, 2019 at 01:31:18PM +0200, Christian Heimes wrote:
>> On 22/05/2019 12.19, Steven D'Aprano wrote:
>>> I don't think this PEP should become a document about "Why you should 
>>> use PAM". I appreciate that from your perspective as a Red Hat security 
>>> guy, you want everyone to use best practices as you see them, but it 
>>> isn't Python's position to convince Linux distros or users to use PAM.
>> I think the PEP should make clear why spwd is bad and pining for The 
>> Fjords. The document should point users to correct alternatives. There 
>> is no correct and secure way to use the spwd module to verify user 
>> accounts. Any use of spwd for logins introduces critical security 
>> bugs.
> When you use absolute language about security without considering 
> threat models, like "there is no ... way" and "Any use", you lose 
> credibility in my eyes.
> I have a Linux desktop where I am the only user but not the only user 
> account. If I use spwd, what vulnerabilty am I introducing? That's not a 
> rhetorical question. If spwd does introduce a threat that isn't already 
> there, then please educate me, I genuinely want to know.

I can give you more details once I have resolved some CVEs. The problem
can result into full system compromise by a local or remote attacker
without any trace in the system audit and security logs. Depending on
other circumstances, the issue is CVSS HIGH to CRITICAL, perhaps up to
CVSS score 9.9.


More information about the Python-Dev mailing list