Message174450
If I understand correctly, I think what Ramchandra is getting at is that if an attacker could manage to get a .Tk.py file into a user's home directory somehow, then the next time that user happens to do 'sudo idle', the attacker's code is executed with root privileges.
That said, I don't know that it would be any easier for an attacker to get such a file into such a place than to just do their maliciousness some other way.
I think Guilherme's suggestion of just making those who need it call it themselves, instead of at every tkinter startup, sounds good. |
|
Date |
User |
Action |
Args |
2012-11-01 19:32:41 | zach.ware | set | recipients:
+ zach.ware, terry.reedy, mark.dickinson, gpolo, Arfrever, asvetlov, Ramchandra Apte |
2012-11-01 19:32:41 | zach.ware | set | messageid: <1351798361.14.0.291306945212.issue16248@psf.upfronthosting.co.za> |
2012-11-01 19:32:41 | zach.ware | link | issue16248 messages |
2012-11-01 19:32:41 | zach.ware | create | |
|