How do I add users using Python scripts on a Linux machine
ldo at geek-central.gen.new_zealand
Fri Jan 5 07:48:44 CET 2007
In message <m2hcv651ta.fsf at ordesa.cs.uu.nl>, Piet van Oostrum wrote:
> The scenario is as follows: Suppose the script starts with the line:
> (using #!/usr/bin/env python would be disastrous because the user could
> supply his own `python interpreter' in his PATH.)
> Now a malicious user can make a link to this file in his own directory,
> e.g. to /Users/eve/myscript1. Because permissions are part of the file
> (inode), not of the file name, this one is also suid.
> Now she execs /Users/eve/myscript1. The kernel, when honoring suid
> scripts, would startup python with effective uid root with the command
> line: /usr/bin/env /Users/eve/myscript1
No it wouldn't. This security hole was fixed years ago.
More information about the Python-list