i’ll start out by admitting that Python is something i know very little about, and my purpose is to secure machines from un-vetted code.
since many applications/applets use python, dev’s can use the easy_install abilities in setuptools to get needed code automagically during setup. Very useful and makes setup much more reliable and pain-free for the user, but opens the possiblity of actually adding security loopholes without the user’s knowledge.
a quick perusal of easy_install abilities yields some control can be specified by limiting the download sources with a entry in distutils.cfg, such as:
however, unless i read the information available incorrectly, this list of sources can be overridden by invoking easy_install with a specific source as a parameter and make the attempt at preventing unwanted code ineffective.
hoping someone with more experience can suggest a method that will prevent/flag this scenario.
thanks in advance, and since this is really a security issue and not truly a programming problem, feel free to move this thread if there is a more appropriate venue.
bump this thread since i haven’t had any response.
to describe my problem in more detail, a python “egg” package was installed using a setup script provided by the author. Watching the net activity during the install was puzzling since i knew the sources for using the easy_install were limited in the distutils.cfg file.
since the install has to be done as root, the provided setup script called a specific location for downloading missing packages, meaning the easy_install was invoked during the script with a source parameter overriding the limitations in distutils.cfg (a possibility i wasn’t aware of at that time).
there appears to be no way of disabling this command line ability which makes third party setup scripts somewhat unsafe.
the second thing about this install that i did not understand, and perhaps someone involved with creating the python 2.6 packages might be able to answer, is that connections are also made to “packages.opensuse-community.org” or what we refer to as Webpin. Perhaps it attempts to see if there is already packaged versions created, but it goes there looking in spite of the defined locations in distutils.cfg.
Well, perhaps the conclusion is that when you run somebody else’s install script, sometimes you can’t easily see what it is doing. This is even true of official scripts. I don’t see how you can get around this except not to use the install script and vet everything before installing it yourself.
Maybe you can write a replacement for easy_install that discards any source site overrides before calling the (renamed) easy_install script.
thanks for your input ken, i had thoughts along those lines also… mine was simply to exit gracefully if the parameter is used, but i like yours better.