Message 310039 - Python tracker

Message310039

Author	ncoghlan
Recipients	brett.cannon, christian.heimes, larry, ncoghlan, nedbat, petr.viktorin, steve.dower
Date	2018-01-16.06:32:39
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1516084359.86.0.467229070634.issue32551@psf.upfronthosting.co.za>
In-reply-to

Content
PR submitted for 3.5. Since the problem was in a full release this time (rather than a pre-release the way it was for 3.6), I've reclassified it as a security bug, since it means some previously safe operations (where no user-writable directory would end up on sys.path even without the "-I" switch) are technically unsafe. There's a fair combination of factors required for it to actually cause a problem though: - it only comes up if you're not using isolated mode (so the "workaround" is "Use isolated mode when running privileged processes", which is something we recommend doing anyway) - it only comes up for directory or zipfile execution, not normal script execution - you have to be executing an admin-controlled directory or zipfile, rather than one the user has write access to (otherwise there's no new opportunity for code injection introduced) - for actual privilege escalation to take place as a result of the code injection, you have to be running the command with elevated privileges That said, I suspect exactly the above may happen when using PEX files (https://github.com/pantsbuild/pex), since I can't find any reference in their code to forcing the use of isolated mode in the underlying interpreter.

Content

PR submitted for 3.5. Since the problem was in a full release this time (rather than a pre-release the way it was for 3.6), I've reclassified it as a security bug, since it means some previously safe operations (where no user-writable directory would end up on sys.path even without the "-I" switch) are technically unsafe.

There's a fair combination of factors required for it to actually cause a problem though:

- it only comes up if you're *not* using isolated mode (so the "workaround" is "Use isolated mode when running privileged processes", which is something we recommend doing anyway)
- it only comes up for directory or zipfile execution, *not* normal script execution
- you have to be executing an admin-controlled directory or zipfile, rather than one the user has write access to (otherwise there's no new opportunity for code injection introduced)
- for actual privilege escalation to take place as a result of the code injection, you have to be running the command with elevated privileges

That said, I suspect exactly the above may happen when using PEX files (https://github.com/pantsbuild/pex), since I can't find any reference in their code to forcing the use of isolated mode in the underlying interpreter.

History
Date	User	Action	Args
2018-01-16 06:32:39	ncoghlan	set	recipients: + ncoghlan, brett.cannon, larry, christian.heimes, nedbat, petr.viktorin, steve.dower
2018-01-16 06:32:39	ncoghlan	set	messageid: <1516084359.86.0.467229070634.issue32551@psf.upfronthosting.co.za>
2018-01-16 06:32:39	ncoghlan	link	issue32551 messages
2018-01-16 06:32:39	ncoghlan	create