[Python-ideas] Security: remove "." from sys.path?
Nick Coghlan
ncoghlan at gmail.com
Mon Jun 5 07:06:46 EDT 2017
On 5 June 2017 at 19:49, Stephan Houben <stephanh42 at gmail.com> wrote:
> What about just adding the -I (isolated mode) flag to the #! line of
> installed scripts?
Fedora & derivatives generally do do that, but as others noted, it can
sometimes cause issues with shebang line parsers. It's also easy to
lose the setting when a subprocess gets started based on
sys.executable.
Wrapper scripts can be a little more robust (as long as they use -a to
get sys.executable set appropriately), but things still end up being
quite intricate and fiddly, and it's hard to prove you've plugged all
the gaps.
Providing a separate binary with different defaults baked in at build
time doesn't magically fix everything (since you still need to change
shebang lines to refer to that binary), but it does make it much
easier to *stay* in system mode once you're there.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-ideas
mailing list