The recent redhat-rpm-config change and you

[Toshio Kuratomi]

On Tue, 2005-06-21 at 13:41 -0400, John Dennis wrote:
> 
> I think Tomas's observation is correct. The python interpreter we ship
> does attempt to generate .pyc files when it executes a .py file if its
> non-existent or out of date. It can be a security issue if the .pyc
> or .pyo file is malicious. It might be malicious if the .py file was
> malicious, but that is less likely since .py files are installed by
> root. However, if you allow any user/process to write a .pyo file for
> later execution you do expose yourself malicious intent via a .pyc
> or .pyo which is not derived from the source .py.

I would think SELinux could be configured to allow each particular
python program to write the pyo's that belong to them and only them.  As
long as that's the case it wouldn't really be any arbitrary code which
could overwrite the pyo's.

If so, the exploit route is: a python program which takes user input and
writes out files.  It is also probably setuid otherwise the malicious
user can't circumvent the UNIX permissions to write to it.  Malicious
user gives input to the program that tricks it into overwriting one of
the pyo's present with some python bytecode that does something even
worse.  They then rerun the program, executing the new bytecode to do
what they wish.

It's better than running without SELinux but it isn't as secure as
running with SELinux disallowing writes altogether.

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-maintainers/attachments/20050621/a4a509d6/attachment.sig>