Friday Filosofical Finking: Import protections
Cameron Simpson
cs at cskk.id.au
Wed Apr 17 21:24:27 EDT 2019
On 17Apr2019 21:45, MRAB <python at mrabarnett.plus.com> wrote:
>On 2019-04-17 21:20, DL Neil wrote:
>>Do you bother with exception handling for import statements?
[...]
>Catch only what you (well, the script) can fix.
>
>If it needs numpy, but can't import numpy, then when can it do? Might
>as well just let it fail.
I'm of this mind too, but...
>I suppose an alternative might be to try to download and install numpy
>and then retry, but what if it can't be downloaded, or the installation
>fails?
As an example of what an open ended can of worms attempts recovery might
be, yeah. How hard do you try? But also, "installation fails": that
isn't always a clean situation: it can litter the install area with
partial junk.
But this is also a bad example: it is something an _invoked_ programme
should never try to do. Except by specific deliberate design and
request, a running application shouldn't presume it has rights to
install additional things, or even to try. I have personally (though
metaphorically) clipped devs across the ear for doing themselves the
moral equivalent of the above: try thing, then just "sudo try thing"
when it was forbidden.
Particularly in managed environments, the setup is often deliberately
designed to not permit this. Consider the app behind a web service:
those which are able to install code are in theory open to being
manipulated from the outside to install and run code -malicious code.
For this reason such enivoronments are deliberately designed so that an
app has the barest minimum privileges to perform its task.
So: the app _can't_ write to its code area or to the htdocs tree (in
whatever form that may be) - that way lies site defacement and
application subversion. It can't create tables in the database or modify
schemas. It can't modify data it should not touch, or read data it
should never see (think reading credential tables or modifying role
definitions as some examples).
Installing additional packages is the same as self modifying code: as a
rule, the admins install packages, not the app.
Sorry, ranting now over.
Cheers,
Cameron Simpson <cs at cskk.id.au>
More information about the Python-list
mailing list