Message 174450 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	zach.ware
Recipients	Arfrever, Ramchandra Apte, asvetlov, gpolo, mark.dickinson, terry.reedy, zach.ware
Date	2012-11-01.19:32:41
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1351798361.14.0.291306945212.issue16248@psf.upfronthosting.co.za>
In-reply-to

Content
If I understand correctly, I think what Ramchandra is getting at is that if an attacker could manage to get a .Tk.py file into a user's home directory somehow, then the next time that user happens to do 'sudo idle', the attacker's code is executed with root privileges. That said, I don't know that it would be any easier for an attacker to get such a file into such a place than to just do their maliciousness some other way. I think Guilherme's suggestion of just making those who need it call it themselves, instead of at every tkinter startup, sounds good.

If I understand correctly, I think what Ramchandra is getting at is that if an attacker could manage to get a .Tk.py file into a user's home directory somehow, then the next time that user happens to do 'sudo idle', the attacker's code is executed with root privileges.

That said, I don't know that it would be any easier for an attacker to get such a file into such a place than to just do their maliciousness some other way.

I think Guilherme's suggestion of just making those who need it call it themselves, instead of at every tkinter startup, sounds good.

History
Date	User	Action	Args
2012-11-01 19:32:41	zach.ware	set	recipients: + zach.ware, terry.reedy, mark.dickinson, gpolo, Arfrever, asvetlov, Ramchandra Apte
2012-11-01 19:32:41	zach.ware	set	messageid: <1351798361.14.0.291306945212.issue16248@psf.upfronthosting.co.za>
2012-11-01 19:32:41	zach.ware	link	issue16248 messages
2012-11-01 19:32:41	zach.ware	create