[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

configparser v/s file variables

On 06/28/18 00:46, Steven D'Aprano wrote:
> Yes, attacks by trusted insiders are the hardest to defend against.
> Betrayal of trust sucks. Trusted users with sufficient privileges could
> just modify the source code of your application or of Python itself. They
> could also attack your system in a thousand different ways.
> But what about untrusted users with fewer privileges? They *can't* modify
> the source code of your application, or change the password on other
> accounts, or read arbitrary files, or masquerade as other users. Because
> they have unprivileged accounts.
> So why give them the ability to escalate their privilege to that of your
> application (which probably can do lots of things they can't do) by
> directly executing Python code they supply?

???? I don't follow.? I never suggested allowing someone the ability to 
directly execute user-supplied Python code.? However, if they have the 
privileges necessary to run the application, I don't see the security 
risk.? Many applications have embedded scripting engines that do just that.

> Your argument is akin to:
> "I gave my partner a key to my house, and they could rob me blind if they
> want. Since I trust them not to, there's no point in locking the door to
> the house when I go out, since they have a key."
Not exactly.? The original question was about reading config variables 
from a file in Python.? That sort of thing didn't suggest (to me) a 
world-facing web app or other security-conscious situation.

It's more like leaving the door unlocked while I'm home...