[Pythonmac-SIG] permissions on packages

belinda thom bthom at cs.hmc.edu
Mon Dec 11 07:09:16 CET 2006 

Hi,

I'm writing to seek a better understanding of how permissions should  
work in python on the Mac.

Out-of-the-MacPython-2.4-install box, files in /Library/Frameworks/ 
Python.framework/Versions/2.4/lib/python2.4 have permissions like these:

-rw-rw-r--     1 root  admin   26255 Oct 18 01:39 zipfile.py
-rw-rw-r--     1 root  admin   18931 Dec  6 22:14 zipfile.pyc
-rw-rw-r--     1 root  admin   18931 Dec  6 22:14 zipfile.pyo

In the site-packages directory, packages I installed (via  
macpython.com, e.g. numpy, Numeric, matplotlib, etc) have permissions  
like:

drwxrwxr-x    41 501    admin   1394 Jul  5 20:11 Numeric/
drwxrwxr-x   157 501    admin   5338 Dec  9 20:57 matplotlib/
drwxr-xr-x   130 root   admin   4420 Dec  7 04:39 numarray/
drwxrwxr-x    47 501    admin   1598 Oct 27 16:54 numpy/
drwxrwxr-x     6 501    admin    204 Oct 27 16:54 numpy-1.0-py2.4.egg- 
info/
-rw-rw-r--     1 501    admin     31 Oct 26 06:26 pylab.py
-rw-rw-r--     1 501    admin    205 Oct 30 10:15 pylab.pyc
-rw-rw-r--     1 501    admin    205 Oct 30 10:15 pylab.pyo
drwxrwxr-x    43 501    admin   1462 Sep 17 18:04 scipy/
drwxrwxr-x     6 501    admin    204 Sep 17 18:04 scipy-0.5.1- 
py2.4.egg-info/
drwxr-xr-x    10 bthom  admin    340 Dec  7 01:33 setuptools-0.6c3- 
py2.4.egg/
-rw-r--r--     1 bthom  admin     29 Dec  7 01:33 setuptools.pth
drwxrwxr-x     4 root   admin    136 Jul 15 16:03 wx-2.6-mac-unicode/
-rw-r--r--     1 root   admin     18 Jul 15 16:03 wx.pth
drwxr-xr-x     4 root   admin    136 Jul 15 16:03 wxaddons/
-rw-r--r--     1 root   admin  17813 Jan 20  2006 wxversion.py

Is there a reason why these packages have owner 501? And is there a  
reason why group have read access? I'd have thought the best way to  
install something that are supposed to work as-is would be to have  
root as owner, giving sole write permissions to owner. (Then to  
modify something, you'd have to sudo).

I'm beginning to realize its not that simple. For instance, the first  
time I (w/admin privs) try and edit a file (e.g. zipfile.py),  
TextEdit asks if I'd like to overwrite the permissions on save.  
Saying yes overwrites the file. The disturbing thing is that on  
future opens (even after TextEdit's been closed) I am no longer  
asked; overwriting saves occur automatically. Fortunately, when I  
created another user w/o admin permissions, overwriting when logged  
in as this less priv'd user didn't seem to be an option.

...but I'd like to protect against myself (this is esp. true b/c I  
use ipython w/in xemacs w/%pdb on, so I'm often dumped into the  
editor w/a file like bpd.py).

Some more poking in a package directory (e.g. matplotlib) shows  
permissions like:

-rw-rw-r--     1 root   admin    40789 Oct 26 09:30 __init__.py
-rw-r--r--     1 bthom  admin    39389 Dec 10 21:02 __init__.pyc
-rw-rw-r--     1 root   admin    30134 Oct 30 10:15 __init__.pyo

What's interesting here is that pyc is owned by me (perhaps b/c it  
was compiled via my first call to __init__.py). However, I'm pretty  
sure what I installed off macpython.com was binarys---so there should  
be no need to compile the files, right? Again, I (perhaps naively)  
would feel better if all of these files were owned by root (and that  
only root could override them).

Security issues become even more important as students will be using  
python/ipython from the same machine.

Perhaps I'm missing something really basic (would a Finder view to  
permissions provide better control?). Or perhaps the ability to not  
protect as tightly against myself as admin as I'd have liked is a  
"feature".

What have others done wrt this issue?

Thanks,
--b

More information about the Pythonmac-SIG mailing list