Methinks anyone using sudo to allow non-root-users to execute specific scripts without giving them full root perms is relying on security by obscurity at this point. (Ditto for setuid Python scripts BTW.)
--Guido On 1/10/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Got this from a Google alert overnight. It's not really a Python problem > (it's a sudo problem), but it's probably not a bad idea to understand the > implications. > > >> SUDO Python Environment Cleaning Privilege Escalation ... > >> Secunia - UK > >> ... This can be exploited by a user with sudo access to a python script > >> to gain access to an interactive python prompt via the "PYTHONINSPECT" > >> environment variable ... > >> <http://secunia.com/advisories/18358/> > > Skip > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/guido%40python.org > -- --Guido van Rossum (home page: http://www.python.org/~guido/) _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
