A movable pycache - vulnerability?

Posted Jul 18, 2019 6:09 UTC (Thu) by 0x01 (guest, #112039)
In reply to: A movable __pycache__ - vulnerability? by amworsley
Parent article: What's coming in Python 3.8

the privilege level of being able to set an environment variable for a user is the same as being able to run arbitrary code as that user, no?

A movable pycache - vulnerability?

Posted Jul 18, 2019 8:59 UTC (Thu) by FLHerne (guest, #105373) [Link] (2 responses)

I think the concern was that some naive admin might set PYTHONPYCACHEPREFIX to /tmp, perhaps hoping not to accumulate 'stale' cache files, without realizing the vulnerability.

A movable pycache - vulnerability?

Posted Jul 18, 2019 13:43 UTC (Thu) by kiall (guest, #133240) [Link]

> I think the concern was that some naive admin might set PYTHONPYCACHEPREFIX to /tmp, perhaps hoping not to accumulate 'stale' cache files, without realizing the vulnerability.

At the same time a naive admin might `chmod -R ugo+w /`. Having the ability to control where that cache lives is IMO a good thing, even if some admins will make mistakes while using it.

A movable pycache - vulnerability?

Posted Jul 19, 2019 11:11 UTC (Fri) by gdamjan (subscriber, #33634) [Link]

that's why all services should be run with `PrivateTmp=yes` systemd directive

A movable pycache - vulnerability?

Posted Jul 26, 2019 18:26 UTC (Fri) by k8to (guest, #15413) [Link]

There are cases where this is untrue, for better or worse. Env vars may be viewed as a configuration system for setting options, or as a method to provide input (eg the ancient cgi interface). It's sketchy for sure as some env vars are extremely powerful, and some systems try to limit access to some of these. But there are situations in which env vars are expected to not be equivalent to code execution.

Whether this specific case represents a new problem over the other types of env vars that could enable code execution, I'm not really expert enough to comment, but there are blacklist env var approaches in the field, so adding a new such power-env-var can breach those types of defenses.

A movable pycache - vulnerability?

Posted Jul 27, 2019 4:15 UTC (Sat) by flussence (guest, #85566) [Link]

An example to the contrary is daemontools' envdir mechanism, where the permissions for modifying a process's environment are entirely disjoint from what user it runs as. Usually the envdir and its contents are root-owned, but that's just a convention.