Date: Thu, 5 Jun 2008 10:10:55 +0200 From: Robert Buchholz <rbu@...too.org> To: oss-security@...ts.openwall.com Cc: Ned Ludd <solar@...too.org> Subject: Re: Python Unsafe Module Loading On Wednesday 04 June 2008, Ned Ludd wrote: > So for nearly every python based program you can simply dump *.so > *.py *.pyc files just about anywhere on the file system where an > admin might invoke python. As I also pointed out in our bug , this only happens in two cases: (1) The interactive shell is used to run python code. (2) A python script resides inside an untrusted directory. What I expect to be the most common use case, running python code from /usr, or /home, is safe. Since all out-of-the-box software would be installed in directories that are not world-writable, I am tempted call (2) an error on the user side. Changing the behaviour of python in this manner would also break existing programs. Robert  https://bugs.gentoo.org/show_bug.cgi?id=224925 Download attachment "signature.asc " of type "application/pgp-signature" (836 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.