Author Gynvael.Coldwind
Recipients Gynvael.Coldwind, brian.curtin, carlfk, dsmiller, ezio.melotti, flox, fran.rogers, jaraco, loewis, mel, mhammond, michael.foord, nnorwitz, norvellspearman, r.david.murray, tim.peters
Date 2010-11-22.08:44:44
SpamBayes Score 0.000184823
Marked as misclassified No
Message-id <1290415487.61.0.261588741928.issue1284316@psf.upfronthosting.co.za>
In-reply-to
Content
(since Issue 10491 is superseded by this one, I'll reply here)

As I've said in issue 10491, in my opinion this is not a case of frustrating users because they have to elevate the console (I think they have to do that in case of UAC anyway), but a case of privilege escalation vulnerability on mutli-user Windows systems with Python installed globally (i.e. in the default installation directory).

Though I am aware there are not many such systems to begin with, I am pretty certain they do exist (think: servers at an University giving Python access to students, and not using *nix for some reason).
There are also non-multi-user systems with multiple accounts (think: production systems running stuff on different accounts), and this issue can be abused as one of many steps during an attack, after gaining shell access, but before gaining administrative rights.

I acknowledge your right to choose not to fix this issue due to usability issues, but in such case imo there should be an explicit message during the installation making the user aware of this insecurity.
The last months revealed issues like this in many applications and tools, and they have (mostly) been patched, so administrators might assume this was also fixed in Python (especially since this is known from 2005).
History
Date User Action Args
2010-11-22 08:44:47Gynvael.Coldwindsetrecipients: + Gynvael.Coldwind, tim.peters, loewis, mhammond, nnorwitz, jaraco, mel, dsmiller, norvellspearman, carlfk, ezio.melotti, r.david.murray, michael.foord, brian.curtin, flox, fran.rogers
2010-11-22 08:44:47Gynvael.Coldwindsetmessageid: <1290415487.61.0.261588741928.issue1284316@psf.upfronthosting.co.za>
2010-11-22 08:44:44Gynvael.Coldwindlinkissue1284316 messages
2010-11-22 08:44:44Gynvael.Coldwindcreate