How do I add users using Python scripts on a Linux machine

Lawrence D'Oliveiro ldo at geek-central.gen.new_zealand
Fri Jan 5 07:48:44 CET 2007


In message <m2hcv651ta.fsf at ordesa.cs.uu.nl>, Piet van Oostrum wrote:

> The scenario is as follows: Suppose the script starts with the line:
> #!/usr/bin/python
> 
> (using #!/usr/bin/env python would be disastrous because the user could
> supply his own `python interpreter' in his PATH.)
> 
> Now a malicious user can make a link to this file in his own directory,
> e.g. to /Users/eve/myscript1. Because permissions are part of the file
> (inode), not of the file name, this one is also suid.
> 
> Now she execs /Users/eve/myscript1. The kernel, when honoring suid
> scripts, would startup python with effective uid root with the command
> line: /usr/bin/env /Users/eve/myscript1

No it wouldn't. This security hole was fixed years ago.




More information about the Python-list mailing list