Message 174460 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	pitrou
Recipients	Arfrever, Ramchandra Apte, asvetlov, gpolo, mark.dickinson, pitrou, terry.reedy, zach.ware
Date	2012-11-01.19:55:33
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1351799734.1.0.290662731143.issue16248@psf.upfronthosting.co.za>
In-reply-to

Content
As Zachary and Ramchandra explained, the security issue is obvious: a non-sudoer user A can make a sudoer user B execute arbitrary code, simply by placing a file where IDLE will be run from. This is the same reason Python has -s and -E options. The least we could do would be to disable readprofile() when sys.flags.ignore_environment is true.

As Zachary and Ramchandra explained, the security issue is obvious: a non-sudoer user A can make a sudoer user B execute arbitrary code, simply by placing a file where IDLE will be run from.

This is the same reason Python has -s and -E options. The least we could do would be to disable readprofile() when sys.flags.ignore_environment is true.

History
Date	User	Action	Args
2012-11-01 19:55:34	pitrou	set	recipients: + pitrou, terry.reedy, mark.dickinson, gpolo, Arfrever, asvetlov, Ramchandra Apte, zach.ware
2012-11-01 19:55:34	pitrou	set	messageid: <1351799734.1.0.290662731143.issue16248@psf.upfronthosting.co.za>
2012-11-01 19:55:34	pitrou	link	issue16248 messages
2012-11-01 19:55:33	pitrou	create