Re: [Python-Dev] Persistent Python - a la Smalltalk

2011-09-18 Thread Zbigniew Jędrzejewski-Szmek 
Guido van Rossum wrote:

> [BCC python-dev, +python-ideas]
> 
> Funny you should mention this. ABC, Python's predecessor, worked like
> this. However, it didn't work out very well. So, I'd say you're about
> 30 years too late with your idea... :-(
Well, the newly developed IPython notebook [1] is something along those 
lines. So he's not late, he's a little bit early :)

-- Zbyszek

http://ipython.org/ipython-doc/dev/interactive/htmlnotebook.html

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] ImportError: No module named multiarray (is back)

2011-11-26 Thread Zbigniew Jędrzejewski-Szmek 

Hi,
I apologize in advance for the length of this mail.

sys.path

When a script or a module is executed by invoking python with proper 
arguments, sys.path is extended. When a path to script is given, the 
directory containing the script is prepended. When '-m' or '-c' is used, 
$CWD is prepended. This is documented in 
http://docs.python.org/dev/using/cmdline.html, so far ok.


sys.path and $PYTHONPATH is like $PATH -- if you can convince someone to 
put a directory under your control in any of them, you can execute code 
as this someone. Therefore, sys.path is dangerous and important. 
Unfortunately, sys.path manipulations are only described very briefly, 
and without any commentary, in the on-line documentation. python(1) 
manpage doesn't even mention them.


The problem: each of the commands below is insecure:

python /tmp/script.py (when script.py is safe by itself)
('/tmp' is added to sys.path, so an attacker can override any
 module imported in /tmp/script.py by writing to /tmp/module.py)

cd /tmp && python -mtimeit -s 'import numpy' 'numpy.test()'
(UNIX users are accustomed to being able to safely execute
 programs in any directory, e.g. ls, or gcc, or something.

 Here '' is added to sys.path, so it is not secure to run
 python is other-user-writable directories.)

cd /tmp/ && python -c 'import numpy; print(numpy.version.version)'
 (The same as above, '' is added to sys.path.)

cd /tmp && python
 (The same as above).

IMHO, if this (long-lived) behaviour is necessary, it should at least be 
prominently documented. Also in the manpage.


Prepending realpath(dirname(scriptname))

Before adding a directory to sys.path as described above, Python 
actually runs os.path.realpath over it. This means that if the path to a 
script given on the commandline is actually a symlink, the directory 
containing the real file will be executed. This behaviour is not really 
documented (the documentation only says "the directory containing that 
file is added to the start of sys.path"), but since the integrity of 
sys.path is so important, it should be, IMHO.


Using realpath instead of the (expected) path specified by the user 
breaks imports of non-pure-python (mixed .py and .so) modules from 
modules executed as scripts on Debian. This is because Debian installs 
architecture-independent python files in /usr/share/pyshared, and 
symlinks those files into /usr/lib/pymodules/pythonX.Y/. The 
architecture-dependent .so and python-version-dependent .pyc files are 
installed in  /usr/lib/pymodules/pythonX.Y/. When a script, e.g. 
/usr/lib/pymodules/pythonX.Y/script.py, is executed, the directory 
/usr/share/pyshared is prepended to sys.path. If the script tries to 
import a module which has architecture-dependent parts (e.g. numpy) it 
first sees the incomplete module in /usr/share/pyshared and fails.


This happens for example in parallel python 
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620551) and recently 
when packaging CellProfiler for Debian.


Again, if this is on purpose, it should be documented.

PEP 395 (Qualified Names for Modules)
=

PEP 395 proposes another sys.path manipulation. When running a script, 
the directory tree will be walked upwards as long as there are 
__init__.py files, and then the first directory without will be added.


This is of course a fine idea, but it makes a scenario, which was 
previously safe, insecure. More precisely, when executing a script in a 
directory in a parent directory-writable-by-other-users, the parent 
directory will be added to sys.path.


So the (safe) operation of downloading an archive with a package, 
unzipping it in /tmp, changing into the created directory, checking that 
the script doesn't do anything bad, and running a script is now insecure 
if there is __init__.py in the archive root.



I guess that it would be useful to have an option to turn off those 
sys.path manipulations.


Zbyszek

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] PEP 414 updated

2012-03-04 Thread Zbigniew Jędrzejewski-Szmek 
On 03/04/2012 10:34 AM, Vinay Sajip wrote:
> https://bitbucket.org/vinay.sajip/uprefix/

 import uprefix; uprefix.register_hook()
 import frob.subwob.subsubwob
 frob.subwob.subsubwob.w

Hi,

it's pretty cool that 150 lines is enough to have this functionality.

This guard:

  if sys.version_info[0] < 3:
  raise NotImplementedError('This hook is implemented for Python 3 only')

Wouldn't it be better if the hook did nothing when on python 2?
I think it'll make it necessary to use something like

  import sys
  if sys.version_info[0] < 3:
  import uprefix
  uprefix.register_hook()

in the calling code to enable the code to run unchanged on both branches.

Also: have you though about providing a context manager which does
register_hook() in __enter__() and unregister_hook() in __exit__()?

I think that some code will want to enable the hook only for specific
modules. The number of lines could be minimized with something like this:
  import uprefix
  with uprefix.hook:
 import abcde_with_u
 import bcdef_with_u
  import other_module_without_u

Regards,
Zbyszek
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Open PEPs and large-scale changes for 3.3

2012-05-15 Thread Zbigniew Jędrzejewski-Szmek 
On 05/02/2012 02:24 AM, Ben Finney wrote:
> Georg Brandl  writes:
> 
>> list of possible features for 3.3 as specified by PEP 398:
>>
>> Candidate PEPs:
> […]
> 
>> * PEP 3143: Standard daemon process library

I think that http://0pointer.de/public/systemd-man/daemon.html would a
good addition to the 'see also' section. It contains a detailed listing
of steps to be taked during daemonization.

Zbyszek
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Add "e" (close and exec) mode to open()

2013-01-07 Thread Zbigniew Jędrzejewski-Szmek 
On Mon, Jan 07, 2013 at 06:03:54PM -0600, Benjamin Peterson wrote:
> 2013/1/7 Victor Stinner :
> > Hi,
> >
> > I would like add a new flag to open() mode to close the file on exec:
> > "e". This feature exists using different APIs depending on the OS and
> > OS version: O_CLOEXEC, FD_CLOEXEC and O_NOINHERIT. Do you consider
> > that such flag would be interesting?
Having close-on-exec makes the code much cleaner, often. Definitely
interesting.

> I'm not sure it's worth cluttering the open() interface with such a
> non-portable option. People requiring such control should use the
> low-level os.open interface.
If the best-effort fallback is included, it is quite portable. Definitely
all modern and semi-modern systems support either the atomic or the
nonatomic methods.

Zbyszek
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com