Mailinglist Archive: opensuse-factory (381 mails)

< Previous Next >
Re: [opensuse-factory] Proposal to remove pyc/pyo from Python on TW
  • From: Alberto Planas Dominguez <aplanas@xxxxxxx>
  • Date: Fri, 05 Oct 2018 17:36:59 +0200
  • Message-id: <96175881.ob1XYSMpO7@lena>
On Friday, October 5, 2018 5:10:56 PM CEST Joachim Wagner wrote:
If Python is started as non-privileged this user would need write access
to pycache.

Or is the plan to have separate caches for each user?

My first python shim is doing this yes, but is a bit of naive approach

Or do you want to implement privilege escalation in the
Python shim loader?

How about splitting the cache into two users with normal privileges? When
python running as a normal user does not find a cache entry it contacts a
local service running as the other user to request a cache entry for a py
file. The service checks that the py file is from the system (to prevent
users from feeding malicious py files to the service), compiles it and puts
it into the cache. Optionally, it could check the cache size and delete
some of the files that have not been accessed in a while.

Right, this is something that I proposed in a later email. Use the same user
to store the pycache information. I kind of like this approach more, as the
apparmor / security issue is not anymore there.

--
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham
Norton, HRB 21284 (AG Nürnberg)
Maxfeldstraße 5, 90409 Nürnberg, Germany


--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >