Path: csiph.com!usenet.pasdenom.info!dedibox.gegeweb.org!gegeweb.eu!nntpfeed.proxad.net!proxad.net!feeder1-2.proxad.net!usenet-fr.net!nerim.net!novso.com!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <torriem@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.003
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'bash': 0.07; 'exec': 0.07; 'scripts': 0.09; 'python': 0.09; '-rf': 0.09; 'script,': 0.09; 'subject:module': 0.09; "hasn't": 0.15; 'exactly?': 0.16; 'from:addr:torriem': 0.16; 'from:name:michael torrie': 0.16; 'setuid': 0.16; 'subject:accessing': 0.16; 'subject:created': 0.16; 'wrote:': 0.17; 'script.': 0.17; 'shell': 0.18; 'import': 0.21; 'script': 0.24; 'header:In-Reply-To:1': 0.25; 'header:User- Agent:1': 0.26; 'creating': 0.26; 'run': 0.28; 'mind,': 0.29; 'things,': 0.29; 'running': 0.32; 'to:addr:python-list': 0.33; 'pm,': 0.35; 'received:org': 0.36; 'message-id:@gmail.com': 0.36; 'possible': 0.37; 'two': 0.37; 'subject:: ': 0.38; 'to:addr:python.org': 0.39; 'received:192': 0.39; 'received:192.168': 0.40; 'header:Received:5': 0.40; 'your': 0.60; 'most': 0.61; 'different': 0.63; 'more': 0.63; 'dangerous': 0.66; 'angel': 0.93
X-Virus-Scanned: amavisd-new at torriefamily.org
Date: Mon, 11 Mar 2013 22:05:07 -0600
From: Michael Torrie <torriem@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.12) Gecko/20130105 Thunderbird/10.0.12
MIME-Version: 1.0
To: python-list@python.org
Subject: Re: Running external module and accessing the created objects
References: <mailman.3110.1362798411.2939.python-list@python.org> <513aecd3$0$6512$c3e8da3$5496439d@news.astraweb.com> <khlr16$lr0$1@ger.gmane.org> <513E7B6B.5070608@davea.name>
In-Reply-To: <513E7B6B.5070608@davea.name>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.3218.1363061123.2939.python-list@python.org>
Lines: 11
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1363061123 news.xs4all.nl 6937 [2001:888:2000:d::a6]:57165
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:41107

On 03/11/2013 06:48 PM, Dave Angel wrote:
> I hope you're just kidding.  execfile() and exec() are two of the most 
> dangerous mechanisms around.  import or __import__() would be much 
> better, as long as your user hasn't already run myapp.py as his script.

It's not possible to setuid a python script, so I don't see how execfile
or exec is any more dangerous than the user creating a shell script that
rm -rf * things, and then running it.

Bash "exec's" scripts all the time that users create and provide.  How
is this different and what issues did you have in mind, exactly?