On Thu, 08 Sep 2016, Russ Allbery wrote: > Lars Wirzenius <l...@liw.fi> writes: > > Python doesn't put . in sys.path (the search path for imported > > modules). It puts the absolute path where the script was found as the > > first element. See https://docs.python.org/2/library/sys.html#sys.path > > for details. > > That's a little better but not a lot better. It means that it's still > unsafe to run any script out of a world-writeable directory such as /tmp, > even if the sticky bit is set.
And we have cases of this: I just filed #837534: apt-listchanges: postinst runs a Python script out of /tmp/. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/