> No, this would contradict the security measure. What security does this change provide?
First of all this restriction does provide very little additional security. 1. You don't protect Windows and OSX for the same attack 2. the attack is still possible in the context of the user account 3. You're preventing a valid use case of running the tooling as fakeroot 4. an attacker could use the same techniques and build something into the resulting binary and compromise far more people 5. Also with Python I'm wondering how easy the check can be monkey patched out So based on your reasoning and point 4 I would say add something to stop a user from using pyinstaller in the first place ;) For now I'll need to hack it out. I would appreciate if you change it to give a warning but still allow it to be ignored in the case of fakeroot. Thanks in advance, On Sunday, March 24, 2013 1:40:26 PM UTC+1, Hartmut Goebel wrote: > > Am 19.03.2013 23:00, schrieb Joachim Metz: > > Pyinstaller now seems to have a restriction that it cannot run under root. > "You are running PyInstaller as user root." > > 1. Can you elaborate what reason for this restriction is? And why this > only done for "Unix" not for OSX or Windows? > > > a) PyInstaller does path-manipulation, imports hook-files and other stuff > which can be changed by users. This would allow attackers to delete you > whole file-system by injecting a malicious module. > b) There is no need for running PyInstaller as root. > c) Root is the super user. One ought not use it for building software. > > 2. This check is also triggered when running under fakeroot > e.g. from dpkg-buildpackage -r fakeroot > > Can you add a flag to override this behavior or fix the detection for > root under fakeroot? > > > No, this would contradict the security measure. > > -- > Schönen Gruß > Hartmut Goebel > Dipl.-Informatiker (univ), CISSP, CSSLP > > Goebel Consult > http://www.goebel-consult.de > > Monatliche Kolumne: > http://www.cissp-gefluester.de/2012-09-steht-ein-manta-fahrer-vor-der-uni > Blog: http://www.goebel-consult.de/blog/20050620 > > Goebel Consult ist Mitglied bei http://www.7-it.de/ > -- You received this message because you are subscribed to the Google Groups "PyInstaller" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pyinstaller?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
