Re: PEP 370, open questions

On Thu, 17 Jan 2008 13:09:34 +0100, Christian Heimes
<listscheimes.de> wrote:
>Jean-Paul Calderone wrote:
>> If it should, I think the PEP should explain the
attack this defends
>> against in more detail.  The current brief mention
of "security issues"
>> is a bit hand-wavey.  For example, what is the
relationship between
>> security, this feature, and the PYTHONPATH
environment variable?  Isn't
>> the attack of putting malicious code into a user
site-packages directory
>> the same as the attack of putting it into a
directory in PYTHONPATH?
>
>The PYTHONPATH env var has the same security
implications. However a
>user has multiple ways to avoid problems. For example
the user can use
>the -E flag or set up sudo to ignore the environment.

I'm not sure how sudo gets involved.  sudo doesn't set the
euid, it sets
the uid.  This is about programs with the setuid bit set. 
(I assume this
doesn't also apply to Python programs that explicitly make
use of the
seteuid() call, since this will probably only be checked at
interpreter
startup before any Python application code has run.)

>
>The uid and gid tests aren't really required. They just
provide an extra
>safety net if a user forgets to add the -s flag to a
suid app.

It's not much of a safety net if PYTHONPATH still allows
injection of
arbitrary code.  It's just needless additional complexity
for no benefit.

On the other hand, if all of the other mechanisms for
modifying how
imports work is also made to behave this way, then maybe
there's a point.

Jean-Paul
_______________________________________________
Python-Dev mailing list
Python-Devpython.org
ht
tp://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/p
ython-dev/nessto%40sharedlog.com

On 12:26 pm, exarkundivmod.com wrote:
>On Thu, 17 Jan 2008 13:09:34 +0100, Christian Heimes
<listscheimes.de> 
>wrote:

>>The uid and gid tests aren't really required. They
just provide an 
>>extra
>>safety net if a user forgets to add the -s flag to a
suid app.

>It's not much of a safety net if PYTHONPATH still allows
injection of
>arbitrary code.  It's just needless additional
complexity for no 
>benefit.

By confusing users' expectations, it may actually be *worse*
to add this 
"safety net" than to do nothing.  It should be
obvious right now that 
tightly controlling the environment is a requirement of any
suid Python 
code.  However, talking about different behavior in the case
of 
differing euid and uid might confuse some developers and/or

administrators into thinking that Python was doing all it
needed to. 
There's also the confusion that the value of $HOME is
actually the 
relevant thing for controlling "user-installed"
imports, not the (E)UID.

I think it would be good to have a look at the security
implications of 
this and other environment-dependent execution, including
$PYTHONPATH 
and $PYTHONSTARTUP, in a separate PEP.  It might be good to
change the 
way some of these things work, but in either case it would
be good to 
have an unambiguous declaration of the *expected* security
properties 
and potential attack vectors against the Python interpreter,
for both 
developers and system administrators.
_______________________________________________
Python-Dev mailing list
Python-Devpython.org
ht
tp://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/p
ython-dev/nessto%40sharedlog.com