permissions on packages

Hi,

I'm writing to seek a better understanding of how
permissions should  
work in python on the Mac.

Out-of-the-MacPython-2.4-install box, files in
/Library/Frameworks/ 
Python.framework/Versions/2.4/lib/python2.4 have permissions
like these:

-rw-rw-r--     1 root  admin   26255 Oct 18 01:39 zipfile.py
-rw-rw-r--     1 root  admin   18931 Dec  6 22:14
zipfile.pyc
-rw-rw-r--     1 root  admin   18931 Dec  6 22:14
zipfile.pyo

In the site-packages directory, packages I installed (via  
macpython.com, e.g. numpy, Numeric, matplotlib, etc) have
permissions  
like:

drwxrwxr-x    41 501    admin   1394 Jul  5 20:11 Numeric/
drwxrwxr-x   157 501    admin   5338 Dec  9 20:57
matplotlib/
drwxr-xr-x   130 root   admin   4420 Dec  7 04:39 numarray/
drwxrwxr-x    47 501    admin   1598 Oct 27 16:54 numpy/
drwxrwxr-x     6 501    admin    204 Oct 27 16:54
numpy-1.0-py2.4.egg- 
info/
-rw-rw-r--     1 501    admin     31 Oct 26 06:26 pylab.py
-rw-rw-r--     1 501    admin    205 Oct 30 10:15 pylab.pyc
-rw-rw-r--     1 501    admin    205 Oct 30 10:15 pylab.pyo
drwxrwxr-x    43 501    admin   1462 Sep 17 18:04 scipy/
drwxrwxr-x     6 501    admin    204 Sep 17 18:04
scipy-0.5.1- 
py2.4.egg-info/
drwxr-xr-x    10 bthom  admin    340 Dec  7 01:33
setuptools-0.6c3- 
py2.4.egg/
-rw-r--r--     1 bthom  admin     29 Dec  7 01:33
setuptools.pth
drwxrwxr-x     4 root   admin    136 Jul 15 16:03
wx-2.6-mac-unicode/
-rw-r--r--     1 root   admin     18 Jul 15 16:03 wx.pth
drwxr-xr-x     4 root   admin    136 Jul 15 16:03 wxaddons/
-rw-r--r--     1 root   admin  17813 Jan 20  2006
wxversion.py

Is there a reason why these packages have owner 501? And is
there a  
reason why group have read access? I'd have thought the best
way to  
install something that are supposed to work as-is would be
to have  
root as owner, giving sole write permissions to owner. (Then
to  
modify something, you'd have to sudo).

I'm beginning to realize its not that simple. For instance,
the first  
time I (w/admin privs) try and edit a file (e.g.
zipfile.py),  
TextEdit asks if I'd like to overwrite the permissions on
save.  
Saying yes overwrites the file. The disturbing thing is that
on  
future opens (even after TextEdit's been closed) I am no
longer  
asked; overwriting saves occur automatically. Fortunately,
when I  
created another user w/o admin permissions, overwriting when
logged  
in as this less priv'd user didn't seem to be an option.

...but I'd like to protect against myself (this is esp. true
b/c I  
use ipython w/in xemacs w/%pdb on, so I'm often dumped into
the  
editor w/a file like bpd.py).

Some more poking in a package directory (e.g. matplotlib)
shows  
permissions like:

-rw-rw-r--     1 root   admin    40789 Oct 26 09:30
__init__.py
-rw-r--r--     1 bthom  admin    39389 Dec 10 21:02
__init__.pyc
-rw-rw-r--     1 root   admin    30134 Oct 30 10:15
__init__.pyo

What's interesting here is that pyc is owned by me (perhaps
b/c it  
was compiled via my first call to __init__.py). However, I'm
pretty  
sure what I installed off macpython.com was binarys---so
there should  
be no need to compile the files, right? Again, I (perhaps
naively)  
would feel better if all of these files were owned by root
(and that  
only root could override them).

Security issues become even more important as students will
be using  
python/ipython from the same machine.

Perhaps I'm missing something really basic (would a Finder
view to  
permissions provide better control?). Or perhaps the ability
to not  
protect as tightly against myself as admin as I'd have liked
is a  
"feature".

What have others done wrt this issue?

Thanks,
--b
_______________________________________________
Pythonmac-SIG maillist  -  Pythonmac-SIGpython.org
http://mail.python.org/mailman/listinfo/pythonmac-sig

On 12/11/06, belinda thom <bthomcs.hmc.edu> wrote:
> Hi,
>
> I'm writing to seek a better understanding of how
permissions should
> work in python on the Mac.
>
> Out-of-the-MacPython-2.4-install box, files in
/Library/Frameworks/
> Python.framework/Versions/2.4/lib/python2.4 have
permissions like these:
>
> -rw-rw-r--     1 root  admin   26255 Oct 18 01:39
zipfile.py
> -rw-rw-r--     1 root  admin   18931 Dec  6 22:14
zipfile.pyc
> -rw-rw-r--     1 root  admin   18931 Dec  6 22:14
zipfile.pyo
>
> In the site-packages directory, packages I installed
(via
> macpython.com, e.g. numpy, Numeric, matplotlib, etc)
have permissions
> like:
>
> drwxrwxr-x    41 501    admin   1394 Jul  5 20:11
Numeric/
> drwxrwxr-x   157 501    admin   5338 Dec  9 20:57
matplotlib/
> drwxr-xr-x   130 root   admin   4420 Dec  7 04:39
numarray/
> drwxrwxr-x    47 501    admin   1598 Oct 27 16:54
numpy/
> drwxrwxr-x     6 501    admin    204 Oct 27 16:54
numpy-1.0-py2.4.egg-
> info/
> -rw-rw-r--     1 501    admin     31 Oct 26 06:26
pylab.py
> -rw-rw-r--     1 501    admin    205 Oct 30 10:15
pylab.pyc
> -rw-rw-r--     1 501    admin    205 Oct 30 10:15
pylab.pyo
> drwxrwxr-x    43 501    admin   1462 Sep 17 18:04
scipy/
> drwxrwxr-x     6 501    admin    204 Sep 17 18:04
scipy-0.5.1-
> py2.4.egg-info/
> drwxr-xr-x    10 bthom  admin    340 Dec  7 01:33
setuptools-0.6c3-
> py2.4.egg/
> -rw-r--r--     1 bthom  admin     29 Dec  7 01:33
setuptools.pth
> drwxrwxr-x     4 root   admin    136 Jul 15 16:03
wx-2.6-mac-unicode/
> -rw-r--r--     1 root   admin     18 Jul 15 16:03
wx.pth
> drwxr-xr-x     4 root   admin    136 Jul 15 16:03
wxaddons/
> -rw-r--r--     1 root   admin  17813 Jan 20  2006
wxversion.py
>
> Is there a reason why these packages have owner 501?
And is there a
> reason why group have read access? I'd have thought the
best way to
> install something that are supposed to work as-is would
be to have
> root as owner, giving sole write permissions to owner.
(Then to
> modify something, you'd have to sudo).
>
> I'm beginning to realize its not that simple. For
instance, the first
> time I (w/admin privs) try and edit a file (e.g.
zipfile.py),
> TextEdit asks if I'd like to overwrite the permissions
on save.
> Saying yes overwrites the file. The disturbing thing is
that on
> future opens (even after TextEdit's been closed) I am
no longer
> asked; overwriting saves occur automatically.
Fortunately, when I
> created another user w/o admin permissions, overwriting
when logged
> in as this less priv'd user didn't seem to be an
option.
>
> ...but I'd like to protect against myself (this is esp.
true b/c I
> use ipython w/in xemacs w/%pdb on, so I'm often dumped
into the
> editor w/a file like bpd.py).
>
> Some more poking in a package directory (e.g.
matplotlib) shows
> permissions like:
>
> -rw-rw-r--     1 root   admin    40789 Oct 26 09:30
__init__.py
> -rw-r--r--     1 bthom  admin    39389 Dec 10 21:02
__init__.pyc
> -rw-rw-r--     1 root   admin    30134 Oct 30 10:15
__init__.pyo
>
> What's interesting here is that pyc is owned by me
(perhaps b/c it
> was compiled via my first call to __init__.py).
However, I'm pretty
> sure what I installed off macpython.com was
binarys---so there should
> be no need to compile the files, right? Again, I
(perhaps naively)
> would feel better if all of these files were owned by
root (and that
> only root could override them).
>
> Security issues become even more important as students
will be using
> python/ipython from the same machine.
>
> Perhaps I'm missing something really basic (would a
Finder view to
> permissions provide better control?). Or perhaps the
ability to not
> protect as tightly against myself as admin as I'd have
liked is a
> "feature".
>
> What have others done wrt this issue?

That's not really intentional. If you want to fix it, feel
free. The
code that makes these packages is bdist_mpkg and the source
is here:

http://svn.pythonmac.org/bdist_mpkg/bdist_mpkg/trunk/

I don't have the time or the need to fix it myself any time
soon.

-bob
_______________________________________________
Pythonmac-SIG maillist  -  Pythonmac-SIGpython.org
http://mail.python.org/mailman/listinfo/pythonmac-sig