On Tue, 2005-06-21 at 13:41 -0400, John Dennis wrote: > > I think Tomas's observation is correct. The python interpreter we ship > does attempt to generate .pyc files when it executes a .py file if its > non-existent or out of date. It can be a security issue if the .pyc > or .pyo file is malicious. It might be malicious if the .py file was > malicious, but that is less likely since .py files are installed by > root. However, if you allow any user/process to write a .pyo file for > later execution you do expose yourself malicious intent via a .pyc > or .pyo which is not derived from the source .py. I would think SELinux could be configured to allow each particular python program to write the pyo's that belong to them and only them. As long as that's the case it wouldn't really be any arbitrary code which could overwrite the pyo's. If so, the exploit route is: a python program which takes user input and writes out files. It is also probably setuid otherwise the malicious user can't circumvent the UNIX permissions to write to it. Malicious user gives input to the program that tricks it into overwriting one of the pyo's present with some python bytecode that does something even worse. They then rerun the program, executing the new bytecode to do what they wish. It's better than running without SELinux but it isn't as secure as running with SELinux disallowing writes altogether. -Toshio
Attachment:
signature.asc
Description: This is a digitally signed message part
