Message122099
(since Issue 10491 is superseded by this one, I'll reply here)
As I've said in issue 10491, in my opinion this is not a case of frustrating users because they have to elevate the console (I think they have to do that in case of UAC anyway), but a case of privilege escalation vulnerability on mutli-user Windows systems with Python installed globally (i.e. in the default installation directory).
Though I am aware there are not many such systems to begin with, I am pretty certain they do exist (think: servers at an University giving Python access to students, and not using *nix for some reason).
There are also non-multi-user systems with multiple accounts (think: production systems running stuff on different accounts), and this issue can be abused as one of many steps during an attack, after gaining shell access, but before gaining administrative rights.
I acknowledge your right to choose not to fix this issue due to usability issues, but in such case imo there should be an explicit message during the installation making the user aware of this insecurity.
The last months revealed issues like this in many applications and tools, and they have (mostly) been patched, so administrators might assume this was also fixed in Python (especially since this is known from 2005). |
|
Date |
User |
Action |
Args |
2010-11-22 08:44:47 | Gynvael.Coldwind | set | recipients:
+ Gynvael.Coldwind, tim.peters, loewis, mhammond, nnorwitz, jaraco, mel, dsmiller, norvellspearman, carlfk, ezio.melotti, r.david.murray, michael.foord, brian.curtin, flox, fran.rogers |
2010-11-22 08:44:47 | Gynvael.Coldwind | set | messageid: <1290415487.61.0.261588741928.issue1284316@psf.upfronthosting.co.za> |
2010-11-22 08:44:44 | Gynvael.Coldwind | link | issue1284316 messages |
2010-11-22 08:44:44 | Gynvael.Coldwind | create | |
|