[Tutor] What are security holes?
Steve Holden
sholden at holdenweb.com
Mon Jan 28 09:15:12 EST 2002
"dman" <dsh8290 at rit.edu> wrote in message
news:mailman.1012190450.16668.python-list at python.org...
> On Sun, Jan 27, 2002 at 06:33:05PM -0800, Mishre wrote:
> | [snip]
> |
> | > | One way around this is to use Gordon McMillan's Installer[1] to
create
> | > | standalone programs, which do not require Python to be installed.
> | >
> | > As I understand it, the program still requires python. The only
> | > difference is the installer has python bundled with the program so the
> | > end-user doesn't (necessarily) realize that. It is just an installer,
> | > not a compiler.
> |
> | Technically, yes. :)
> |
> | When the interpreter is include in the result, it would prevent
> | unauthorized use of the interpreter. Unless the attacker knows that
> | you are using the bundled interpreter and can access it from their
> | program. However, this would require that they know to search for it,
> | how to use it from their new script and the libs that are available.
>
> Yeah, sure. Security through obscurity. Reminds me of the cartoon on
> the cover of the O'Reilly TCP/IP networking book ("you must be at
> least this tall to storm the castle") :-).
>
Are you sure you don't mean the Prentice-Hall "Firewalls and Network
Security" by Cheswick & Bellovin?
Sure, it's unsafe distributing bits of the Python system. But then it's
unsafe getting out of bed in the morning! At least it answers the need to
distribute Python applications without having to say "But you have to
install the Python language first".
If someone knows enough to look for bits of the Python system in a
ditributed application then they have many more direct ways to subvert a
system without extracting bits of the Python system from the application and
using them.
regards
Steve
--
Consulting, training, speaking: http://www.holdenweb.com/
Python Web Programming: http://pydish.holdenweb.com/pwp/
More information about the Python-list
mailing list