How to marshal a function?

Cliff Wells logiplexsoftware at earthlink.net
Tue Nov 20 16:06:50 EST 2001 

On Tuesday 20 November 2001 12:42, Kragen Sitaker wrote:

> Well, it probably won't introduce any significant new insecurities,
> anyway (assuming ssh is letting him run arbitrary commands, which he
> says it is.)  But using ssh for remote execution is neither necessary
> nor sufficient for security.

I believe, from the information he gave me, that he is using it in a 
fashion similar to the way X is routed over ssh. From the ssh man page:

"Forwarding of arbitrary TCP/IP connections over the secure channel can be
specified either on command line or in a configuration file.  One possible 
application of TCP/IP forwarding is a secure connection to an electronic 
purse; another is going through firewalls."

As far as whether this will provide sufficient security, that's obviously 
more difficult to say.  It was merely my original intention to point out 
the possibility of a security hole (there was no information regarding how 
he was using this application in the first few posts), it seeming likely 
to me that more information regarding his particular application would be 
forthcoming, but the discussion didn't continue in this vein, so this was 
never addressed.  This may have been my fault, and I have already 
apologized to François for this.

>
> > Additionally, since his attitude was similar to yours (annoying), I
> > decided to end it by agreeing with him, which I find to be the
> > quickest way to avoid wasting my time with people who flame rather
> > than discuss.
> >
> > You are absolutely right: no one can decide except him whether his
> > security is sufficient, hence everyone should avoid offering advice on
> > the subject in case someone may disagree with you.
>
> I disagree with your above statements; they are not what I said in my
> post.  I said you need to know more information than he posted to
> evaluate whether or not a particular trust relationship represents a
> security vulnerability.

True.  I was merely pointing out that execution of arbitrary code on a 
server opens a potential security hole.  I don't think anyone would 
disagree with that.

> I wouldn't have bothered to follow up (I'm not fond of flaming either)
> if you hadn't misstated my position above.  (If that's what you
> thought my position was, it's no wonder you were annoyed.)

If I misunderstood you, I apologize.  I didn't find your opinion on 
security annoying so much as the words "irk" and "glib", which I found to 
be sort of rude.  Anyway, this type of thing happens, so please, no hard 
feelings.

Regards,


-- 
Cliff Wells
Software Engineer
Logiplex Corporation (www.logiplex.net)
(503) 978-6726 x308
(800) 735-0555 x308

More information about the Python-list mailing list