[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Python Question

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Python Question
From: bad apple <ifindthatinteresting@xxxxxxxxx>
Date: Tue, 23 Oct 2012 15:40:48 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1351003255; bh=AEIwHUZmRKq18Y5YcxYvMS53dUAfQnbAgXFDvKC6E3Q=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=YEjpLNf0OR4cqoHVU+pwOXedJ+l4o5A5VX0+Mk2ZXPLCq4dhGCQcDko+w/5keqv5yFsk0OXIlZ1Yc4C62dc4TZg7ggqqz23nC78r8tNNaMGNd/rqqtf2xldoc3kP496fEYo1tTmgfFmHcBlPPWVlcIuXkXeNLW5ohlvZi3MVouo=

On 23/10/12 12:15, Robin Cornelius wrote:
> On 23 October 2012 10:34, Adam Latham <adam.latham@xxxxxxxxxxxxxxxxxxx> wrote:
>> Hi all!
>>
>> Just a brief one.  We've finally managed to convince the IT department in the 
>> Academy I work at to try Python.  Which is pretty cool in itself.
>>
>> However, as they run Windows 7 and everything is locked down pretty tight, I'm 
>> wondering about the wisdom of the default install path.
>>
>> I should mention they've opted for the community edition of ActivePython (why? No 
>> idea...) and have installed in the C:\Python2.7 directory.
>>
>> They're intending for people to use Idle to develop.
>>
>> Having briefly played with it and done the obligatory os.getcwd() Idle is running 
>> straight out of the Python directory.
>>
>> Don't ask me why but it just rang some alarm bells.
>>
>> Whilst I'm sure that the average student at my school has little desire or skill 
>> to run malicious scripts, it just seems a bit mental to allow these to be run 
>> directly on this path.
>>
>> Am I just being paranoid?  What about a CLI argument such as:
>>
>> idle.py -c "os.chdir('some-user-path')"
>>
>> Added to the shortcut/launcher?
>>
>> Any comments or suggestion welcomed. I'd like them to at least give python a good 
>> go, rather than give it up as too difficult to configure...
>>
>> Write permissions to the c:\ drive are strictly controlled, I should add, and the 
>> userspace is in H:\
>>
>
> It should not be a problem IMHO, python likes to install to
> c:\Python27 but that is just where it and its libraries live, you
> don't need write permission there other than to install it in the
> first place, and that is no different to installing in %PROGRAMFILES%.
> it is nice however to have C:\Python27 added to the %PATH% (either
> system or user) to prevent some insanity later when running scripts.
>
> Users should be writing python files in their home directories and
> running them from there too so any output gets saved. the python.exe
> will be running under there userid and should have no more permissions
> than they do regularly so it can't write to places you can't and can't
> read from files you can not. However if this is a *very* locked down
> system and they are prevented getting to a command prompt etc then
> python will give them access to files that might otherwise be cut off
> from them, should not be a problem in theory but worth considering.
>
> Robin
>

Oh dear, ActivePython rears it's ugly head again... highly *not*
recommended unless your sysadmins have *really* locked down these
systems. Even if they have locked them down, beware creative students -
you have just provided them with a pretty lethal tool and at least one
of them at some point is going to want to have a little "play" with the
system to see how far they can push it. Particularly if your standard
environment is particularly draconian or restrictive. ActivePython
doesn't have a good security record either, you're right to be alarmed,
just not for the right reasons.

https://www.google.co.uk/search?q=active+python+cve

You should be particularly concerned about CVE-2012-5379. Don't forget
your smartest and most evil students are going to be quite capable of
yanking the network cable when nobody's looking, booting a live distro
from USB/DVD or just using one of the offline NT SAM database attacks to
get local admin rights and dropping their tools and payloads into place.
Once you've got escalated privileges and access to a language like
python or perl almost unlimited damage can be done.

I'm not saying your users are going to do this, but (some) will like to
push the limits as much as they can, just to experiment and not
necessarily out of maliciousness. However, when you're in charge of the
network security their motivation isn't important, just the potential
results of their tinkering.

ActivePython installed in your described setup is a bad idea, and a
disaster waiting to happen. You have been warned...

Regards

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

References:
- [LUG] Python Question
  - From: Adam Latham
- Re: [LUG] Python Question
  - From: Robin Cornelius

Prev by Date: Re: [LUG] Python Question
Next by Date: Re: [LUG] Python Question
Previous by thread: Re: [LUG] Python Question
Next by thread: Re: [LUG] Python Question
Index(es):
- Date
- Thread