Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #70265
| Path | csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!news.mixmin.net!rt.uk.eu.org!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <rosuav@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.015 |
| X-Spam-Evidence | '*H*': 0.97; '*S*': 0.00; 'warnings': 0.04; 'subject:Python': 0.06; 'attack.': 0.09; 'bug.': 0.09; 'sure,': 0.09; 'cc:addr:python-list': 0.11; '4gb': 0.16; 'boundary,': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'pathological': 0.16; 'subject:bit': 0.16; 'fix': 0.17; 'wrote:': 0.18; 'normally': 0.19; 'saying': 0.22; 'cc:addr:python.org': 0.22; 'looks': 0.24; 'cc:2**0': 0.24; '15,': 0.26; 'header:In- Reply-To:1': 0.27; "doesn't": 0.30; 'dos': 0.30; 'message- id:@mail.gmail.com': 0.30; "i'm": 0.30; 'work.': 0.31; 'code': 0.31; '(although': 0.31; 'concern': 0.31; 'quite': 0.32; 'cases': 0.33; 'subject:the': 0.34; 'could': 0.34; 'something': 0.35; 'form.': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'useful': 0.36; 'possible': 0.36; 'turn': 0.37; 'massive': 0.38; 'richard': 0.38; 'fact': 0.38; 'pm,': 0.38; 'moving': 0.39; 'enough': 0.39; 'how': 0.40; 'even': 0.60; 'easy': 0.60; 'happen': 0.63; 'more': 0.64; 'obvious': 0.74; '*and*': 0.84; 'forward.': 0.84; 'imagination': 0.84; 'to:none': 0.92 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type:content-transfer-encoding; bh=j85TJvjaKrbqAcnEUQnZfB7kRFJJVmMs6oJRsoSyoMo=; b=kqOAHx4Ak40u2jwoDXm9wBFGPdlbcItE3ep92TWHeUNqsZBlrwUTnyCinhsKUfG1Id flxMHhP1t+soK3axXFOd0Q511+QHex1nOV3Ljx+MZoTxsg6SRoYzrXpM3lH8nl2F5hWt W5Gqsk3NkUHieC4qL+EX9bO0HfGMKNV9ejkOBHznjWxXy2K/ys2u2WCf+E9bcXvd1BA+ D0PJncLGPE41o6ba/fdBtZTqqFx9me5W4ydF6ZEJ3BrKFSU6JTxXHxdNEzhXGq+31hQg 5EvDnevo9W2MRMxKC8iD7r6XSFuWvHKRJ2mIjhzKnrVP1RB4y8aXj052yNbr7Gx4GPgy SG+g== |
| MIME-Version | 1.0 |
| X-Received | by 10.52.78.231 with SMTP id e7mr417794vdx.28.1397554546235; Tue, 15 Apr 2014 02:35:46 -0700 (PDT) |
| In-Reply-To | <wwv1twzq6uo.fsf@l1AntVDjLrnP7Td3DQJ8ynzIq3lJMueXf87AxnpFoA.invalid> |
| References | <mailman.9260.1397511440.18130.python-list@python.org> <wwv7g6rqax4.fsf@l1AntVDjLrnP7Td3DQJ8ynzIq3lJMueXf87AxnpFoA.invalid> <mailman.9272.1397549720.18130.python-list@python.org> <wwv1twzq6uo.fsf@l1AntVDjLrnP7Td3DQJ8ynzIq3lJMueXf87AxnpFoA.invalid> |
| Date | Tue, 15 Apr 2014 19:35:46 +1000 |
| Subject | Re: Python, Linux, and the setuid bit |
| From | Chris Angelico <rosuav@gmail.com> |
| Cc | "python-list@python.org" <python-list@python.org> |
| Content-Type | text/plain; charset=UTF-8 |
| Content-Transfer-Encoding | quoted-printable |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.9277.1397554549.18130.python-list@python.org> (permalink) |
| Lines | 20 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1397554549 news.xs4all.nl 2963 [2001:888:2000:d::a6]:60225 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:70265 |
Show key headers only | View raw
On Tue, Apr 15, 2014 at 7:28 PM, Richard Kettlewell <rjk@greenend.org.uk> wrote: > This program is on a security boundary, the pathological cases are > precisely the ones the attacker looks for. > > (It’s hard to see how an attacker could turn this into a useful attack. > But perhaps the attacker has more imagination than me.) Quite frankly, I don't even care :) It's easy enough to fix the bug. The idiomatic code will compile without warnings *and* be secure, so I'm not seeing any reason to use the existing form. All I'm saying is that it's normally going to happen to work; sure, an attacker might well be able to get into something (although if you can generate 4GB of environment, the fact that it doesn't get zeroed is likely to be less of a concern than the massive DOS potential of a huge env!!), but casual usage will have it seeming to work. The obvious solution is right in every possible way, so that's the thing to do moving forward. ChrisA
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Python, Linux, and the setuid bit Ethan Furman <ethan@stoneleaf.us> - 2014-04-14 14:13 -0700
Re: Python, Linux, and the setuid bit John Gordon <gordon@panix.com> - 2014-04-14 21:55 +0000
Re: Python, Linux, and the setuid bit Grant Edwards <invalid@invalid.invalid> - 2014-04-14 22:04 +0000
Re: Python, Linux, and the setuid bit Grant Edwards <invalid@invalid.invalid> - 2014-04-14 22:07 +0000
Re: Python, Linux, and the setuid bit Richard Kettlewell <rjk@greenend.org.uk> - 2014-04-15 09:00 +0100
Re: Python, Linux, and the setuid bit Chris Angelico <rosuav@gmail.com> - 2014-04-15 18:15 +1000
Re: Python, Linux, and the setuid bit Richard Kettlewell <rjk@greenend.org.uk> - 2014-04-15 10:28 +0100
Re: Python, Linux, and the setuid bit Chris Angelico <rosuav@gmail.com> - 2014-04-15 19:35 +1000
Re: Python, Linux, and the setuid bit Chris Angelico <rosuav@gmail.com> - 2014-04-15 18:18 +1000
csiph-web