[Twisted-Python] twistd possible hole
Glyph Lefkowitz
glyph at twistedmatrix.com
Sat Sep 22 19:30:40 MDT 2001
I understand your concern, but I don't think we can classify it as a "hole"
unless it violates a specified invariant. Before continuing this discussion, we
should identify the security strategy that twistd will pursue. I believe that
the working directory of a twistd process should uniquely identify that process
and that the process -- maybe this is not a good idea. The reason that the
particular feature you're talking about was implemented is purely as a
convenience; hopefully in the future there will be some way to scan for Twisted
plugins, and I was thinking that the Python path might not be the right place
to do that search. A good security strategy may be to "freeze" a server by not
giving it write permissions to that directory, so that it can never reconfigure
itself, but in that case an additional 'persistence' mechanism will probably be
required.
So, what are our invariants? In what ways should we buttress those invariants
with OS-specified garuantees? There are probably some other things we need to
look at eliminating, too.
On Fri, Sep 21, 2001 at 05:35:17PM +0300, Moshe Zadka wrote:
> twistd adds the running-directory to the system include path.
> I'm not sure I like it, because it must have write access
> to the running directory to dump pickles, and having applications
> have write permissions there. What's more, in the case where
> the running directory is shared between several twistd instances,
> it means one twistd instance can corrupt others via messing with
> their path. Why was it done? If there is no good reason,
> I suggest we drop it.
--
______ __ __ _____ _ _
| ____ | \_/ |_____] |_____|
|_____| |_____ | | | |
@ t w i s t e d m a t r i x . c o m
http://twistedmatrix.com/users/glyph
More information about the Twisted-Python
mailing list