Securing the Pyton Interpreter?

Vinoo Vasudevan ee01b092 at ee.iitm.ernet.in
Thu Jul 17 08:59:36 CEST 2003


Steven Taschuk <staschuk at telusplanet.net> wrote in message news:<mailman.1058345545.31859.python-list at python.org>...
> Quoth Mel Wilson:
> > seem to recall there are complications with suid on scripts
> > .. though I don't recall what they are.
> 
> A simple example:  Let the file insecure_script contain
>     #!/bin/sh
>     grep 'f.*bar' $*
> This script must not be made setuid-root.  Consider:
>     $ cat >grep
>     #!/bin/sh
>     cp /etc/shadow . && chmod 0666 ./shadow
>     ^D
>     $ chmod +x ./grep
>     $ export PATH=.:$PATH
>     $ insecure_script
> 
> You could deal with this particular problem by using absolute path
> names for everything in the script, and/or by setting $PATH in the
> script itself.  [clip]

I didn't see this post before I posted the one with the naive shell
script. As clear as I can make it, the problem seems to be two-fold :-
Not allowing normal users to access the python interpreter directly,
and making sure they run only a certain set of scripts.
One solution that may work is to set up the interpreter so that _only_
you have read and execute permissions(maybe installing it in your home
directory), and then putting a shell script which has your UID but has
read and execute permissions for all users in a commonly accessible
place. The path to the interpreter and the python scripts must be
absolute in this script to avoid  security problems as mentioned
above.

Hope this works,
 Vinoo




More information about the Python-list mailing list