On Tue, 2005-06-21 at 13:06 +0200, Tomas Mraz wrote:
> > More (much more?) work for little gain, but likely the correct solution
> > would be to configure SELinux policy to recognize a python program
> > trying to write a pyo file and allow that to pass. (Coupled with %
> > ghosting.)
>
> No, that wouldn't be secure. The written .pyo file could be arbitrary
> code which if run again for example from a different security context
> could exploit your system even more.
Just to be sure, is this really a problem at all? We're not shipping
python set up to generate the .pyc and .pyo files by default, AFAIK,
we're merely making rpm run the .pyc's through python -O.
So if you log in as root and run some random python program that has a
bunch of .py's in /usr/lib/python2.4/site-packages/, that shouldn't be
generating .pyc's and .pyo's.
This is _just_ /usr/lib/rpm/brp-redhat running brp-python-bytecompile,
which in turn uses python -O to make .pyc's. It's not something at
runtime.
--
Peter
