And how can __import__ be safer? If an attacker can usurp the string
in an exec call, couldn't he usurp the string in an __import__ call?
And couldn't he import untrusted code? It could have a call to exec()
in it? And what about the apply() function? Aren't all of these the
same open door?
I love the exec() call. I love the idea of code that makes and execs
code. I'll make myself obsolete. :^)
Marilyn
On Sun, 5 Dec 2004, Marilyn Davis wrote:
> On Sat, 4 Dec 2004, Chad Crabtree wrote:
>
> > Marilyn Davis wrote:
> >
> > >Thank you. You guys are great.
> > >
> > >I was trying to eval("import %s" % something).
> > >
> > >exec("import %s" % something) works just fine and now I understand
> > why.
> > >
> > >But, why is this so extremely dangerous?
> > >
> > >Marilyn
> > >
> > >
> > Mainly it's only extremely dangerous if it's going to be attacked at
> > all. What I mean is it will run any code that it imports this way,
> > even
> > untrusted code(possibly). Mostly I think that it's difficult to
> > debug,
> > however if it works you should use it. It seems that many people do
> > this at one point or another, and considered I guess inelegent by
> > some.
> > If security is an issue then this is a very big no no according to
> > what
> > I've heard.
>
> And Alan said:
>
> > But much better to use the __import__() function for doing that if
> > possible... Or simply importing all the modules you might need at the
> > beginning, its not a big overhead...
> >
> > Alan G.
>
> There's something about this that I'm not getting.
>
> Is it more dangerous than having the python interpreter around?
>
> Users will have access to our machine via the web and via email. We
> want to be safe against attack.
>
> As I understand it, Apache has modpython, so it runs all the python
> code that happens, no matter how many users, with only one copy of the
> interpreter in memory. It's sort of a big exec-machine, isn't it?
>
> I want to do the same trick for my Mail Transfer Agent, exim. Exim
> has a new feature where you can configure it to talk to an AF_UNIX
> socket to get any info it needs. An AF_UNIX socket is file-based and
> is not open for outside machines to connect to. So I made a little
> python program with a socket and threads so that exim can call the
> various python programs that I've written for sorting out mail.
>
> I don't want to introduce insecurity. But also I want to really
> understand what the problem is -- especially because I teach python.
>
> And I can't see the security problem, unless there's a security
> problem already, like if I allowed incoming email to dictate the
> parameters that I send through the socket. The email provides data
> for argv[1:] but argv[0] is hard-coded.
>
> And I don't see how web traffic can get there at all.
>
> If we had real users with login rights, then they could get to the
> interpreter and wouldn't need my little daemon to wreck havoc -- if I
> had my persmissions wrong.
>
> So what am I missing?
>
> Thank you for your help.
>
> Marilyn
>
> _______________________________________________
> Tutor maillist - [EMAIL PROTECTED]
> http://mail.python.org/mailman/listinfo/tutor
>
--
_______________________________________________
Tutor maillist - [EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/tutor
