New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The security descriptors of python binaries in Windows are not strict enough #50052
Comments
The security descriptors of python binaries (like python.exe, Test environment: windows vista, python 2.6 |
Thanks for the reply. I can log in as a non-admin user and replace Hong On Sun, Feb 7, 2010 at 7:14 PM, Brian Curtin <report@bugs.python.org> wrote:
|
Is the situation any different if you install Python to "C:\Program Files"? This seems to be at least part of the reason IronPython installs to "C:\Program Files", which was discussed on the IronPython list [1] a few months ago. [1] http://lists.ironpython.com/pipermail/users-ironpython.com/2009-October/011345.html |
Sorry for the delay, it's been a busy month. I just tried python 3.1 If installed under c:\program files, the The default installation is to c:\python31, in which the access I guess a possible remedy to this is that after installation, the Thanks, On Mon, Feb 8, 2010 at 7:23 AM, Brian Curtin <report@bugs.python.org> wrote:
|
Even if we changed the ACL of the executable, any user could still add malicious code to be executed on import, as the C:\PythonXY directory doesn't require specific privileges for writing to it, and it shouldn't by default. When installed to "C:\Program Files", certain privileges are required to install anything, so regular users can't install third party code or swap out the interpreter. If you need the added security, you are more than welcome to choose to install Python to a more secure location. Defaulting to "C:\Program Files" isn't necessary. See also: issues bpo-1074873 and bpo-818030 |
See also bpo-1284316, which is still open, and should probably remain open even though there's no consensus to make a change (yet?). |
Sure. Thank you for the information! Hong On Tue, Mar 2, 2010 at 4:26 AM, R. David Murray <report@bugs.python.org> wrote:
|
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: