[issue31616] Windows installer: Python binaries are user-writable

2017-09-28 Thread Steve Dower
Steve Dower added the comment: Correct, this is expected behavior. If you want your system to be secure *and* to modify default settings, you have to take full responsibility for that. You can't rely on other tools to have secure non-default settings (they should have secure *default* setting

[issue31616] Windows installer: Python binaries are user-writable

2017-09-28 Thread R. David Murray
R. David Murray added the comment: I'll let Steve be the one to close this, but it sounds like this isn't even a doc bug (ie: it is standard window's practice). -- ___ Python tracker

[issue31616] Windows installer: Python binaries are user-writable

2017-09-28 Thread Paul Moore
Paul Moore added the comment: Standard Windows behaviour, in my experience, is inherited permissions. IMO, the current behaviour is correct - we default to an OS-managed secure location for system wide installs, and a user-modifiable location for user installs. If the person doing the install

[issue31616] Windows installer: Python binaries are user-writable

2017-09-28 Thread R. David Murray
R. David Murray added the comment: In fact, this is a backward compatibility issue. Users expect that if you install it in the old location, it behaves like it did in the old location (lower security), and this is probably depended on by a number of users of python. We *could* change it in

[issue31616] Windows installer: Python binaries are user-writable

2017-09-28 Thread Pat K
Pat K added the comment: Thank you for the explanation. I understand this is intentional. However user without such knowledge of inheritable permissions might want to default the installation directory to the old one (C:\PythonXX) and could easily run into this issue without knowing. IMHO extra

[issue31616] Windows installer: Python binaries are user-writable

2017-09-28 Thread Eryk Sun
Eryk Sun added the comment: The "(I)" flag in an icacls entry means it's inherited from the parent directory. The installer doesn't override these inherited permissions. Currently, it's your responsibility to do this if you install to a custom directory such as C:\Python36. Starting with Py

[issue31616] Windows installer: Python binaries are user-writable

2017-09-28 Thread Pat K
New submission from Pat K : This seems to affect different versions of Python Windows installer. The problem is when Python is installed for all users (requires elevation) its binaries and DLLs are shipped with writable permission for "Authenticated Users": PS C:\Python36> icacls python.exe p