oss-sec mailing list archives
Re: Python Unsafe Module Loading
From: Robert Buchholz <rbu () gentoo org>
Date: Thu, 5 Jun 2008 12:15:16 +0200
On Thursday 05 June 2008, Ned Ludd wrote:
On Thu, 2008-06-05 at 10:10 +0200, Robert Buchholz wrote:On Wednesday 04 June 2008, Ned Ludd wrote:So for nearly every python based program you can simply dump *.so *.py *.pyc files just about anywhere on the file system where an admin might invoke python.As I also pointed out in our bug [1], this only happens in two cases: (1) The interactive shell is used to run python code. (2) A python script resides inside an untrusted directory. What I expect to be the most common use case, running python code from /usr, or /home, is safe. Since all out-of-the-box software would be installed in directories that are not world-writable, I am tempted call (2) an error on the user side. Changing the behaviour of python in this manner would also break existing programs. Robert [1] https://bugs.gentoo.org/show_bug.cgi?id=224925Re: (1) How this limited to interactive shells? Our portage/emerge being directly not vuln is left to near sheer luck that Nick.C opted to shove a path into our portage module a-long time ago.. But our tools are questionable as it all depends on load order.. More examples: solar@media /tmp $ touch re.so solar@media /tmp $ cat foo.py import string print "foo" solar@media /tmp $ python foo.py Traceback (most recent call last): File "foo.py", line 1, in ? import string File "/usr/lib/python2.4/string.py", line 83, in ? import re as _re ImportError: /tmp/re.so: file too short solar@media /tmp $ ls -l re.so -rw-r--r-- 1 solar solar 0 Jun 5 01:22 re.so (2) yeah that's pretty much 50% of the problem.
The problem you demonstrated above was caused by (2), running a python script that is located in /tmp. Portage, and most other python programs, are not installed in /tmp, and therefore they do not import files from /tmp, even if they are actually called there: rbu@peanut /tmp $ touch re.so rbu@peanut /tmp $ cat /home/rbu/foo.py import string print "foo" import sys print sys.path rbu@peanut /tmp $ python /home/rbu/foo.py foo ['/home/rbu', '/usr/lib64/portage/pym', '/usr/lib64/python25.zip', '/usr/lib64/python2.5', '/usr/lib64/python2.5/plat-linux2', '/usr/lib64/python2.5/lib-tk', '/usr/lib64/python2.5/lib-dynload', '/usr/lib64/python2.5/site-packages', '/usr/lib64/python2.5/site-packages/Numeric', '/usr/lib64/python2.5/site-packages/gtk-2.0'] Robert
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Python Unsafe Module Loading Ned Ludd (Jun 04)
- Re: Python Unsafe Module Loading Robert Buchholz (Jun 05)
- Re: Python Unsafe Module Loading Ned Ludd (Jun 05)
- Re: Python Unsafe Module Loading Florian Weimer (Jun 05)
- Re: Python Unsafe Module Loading Robert Buchholz (Jun 05)
- Re: Python Unsafe Module Loading Ned Ludd (Jun 05)
- Re: Python Unsafe Module Loading Robert Buchholz (Jun 05)