This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Ramchandra Apte
Recipients Ramchandra Apte
Date 2012-10-17.02:24:04
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1350440645.16.0.89770624373.issue16248@psf.upfronthosting.co.za>
In-reply-to
Content 
I made many mistakes in the original bug report. Here is a fixed one:

Because Lib/tkinter/__init__.py:1801 uses exec to execute code from a file, it has a security bug. It searches for the file in the home dir. Apparently, on my system, the $HOME variable is the same as the non-root one when running Python with root privileges using sudo.

Steps to reproduce:
create a file called .Tk.py in your home folder
Whatever code is in that file will be executed.

run these three lines of code in Python using sudo:

import tkinter
w = tkinter.Tk()

And the code in the .Tk.py will be executed (unless if you change the baseName for the Tk object)
There may be similar ways of running Python with root privileges preserving the environment variables in other OS'es
Using Kubuntu Linux (variant of Ubuntu Linux) 12.04
History
Date User Action Args
2012-10-17 02:24:05Ramchandra Aptesetrecipients: + Ramchandra Apte
2012-10-17 02:24:05Ramchandra Aptesetmessageid: <1350440645.16.0.89770624373.issue16248@psf.upfronthosting.co.za>
2012-10-17 02:24:05Ramchandra Aptelinkissue16248 messages
2012-10-17 02:24:04Ramchandra Aptecreate