[Bf-python] Security and the rexec module
Willian Padovani Germano
wgermano at ig.com.br
Mon May 19 06:17:31 CEST 2003
Hi, guys
Bad news about rexec:
"Python 2.2.2 and earlier provided a rexec module running untrusted
code. However, it's never been exhaustively audited for security and it
hasn't been updated to take into account recent changes to Python such
as new-style classes. Therefore, the rexec module should not be trusted.
To discourage use of rexec, this HOWTO has been withdrawn.
The rexec and Bastion modules have been disabled in the Python CVS tree,
both on the trunk (which will eventually become Python 2.3alpha2 and
later 2.3final) and on the release22-maint branch (which will become
Python 2.2.3, if someone ever volunteers to issue 2.2.3)."
For discussion of the problems with rexec, see the python-dev threads
starting at the following URLs:
http://mail.python.org/pipermail/python-dev/2002-December/031160.html ,
and
http://mail.python.org/pipermail/python-dev/2003-January/031848.html.
"
I just found this on http://www.amk.ca/python/howto/rexec/
One of the two links above links to a msg from Guido himself (Python
creator):
"(...)Hm... Do you see any way to break out of restricted execution
mode using this? I suppose a fix would be simple enough, but I'm more
and more inclined to simply rip out rexec from the distribution -- it's
never going to be safe, and I doubt it's very useful as long as it's
not safe.
--Guido van Rossum"
Well, let's keep looking for something ...
--
Willian, wgermano at ig.com.br
More information about the Bf-python
mailing list