buildout needs a global egg unzip flag
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Buildout |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I've been trying lately to identify places where the Zope 2 server needs
write access that might be insecure. One spot is the $HOME/.egg-info
directory used to unpack zipped egg files. I realize that it's Python
doing this, and not Zope itself, but it's still a security problem if
the server process needs write access to a directory that contains its
own code.
I've solved this problem in the past by using easy_install's --always-
unzip flag when fetching eggs. I'd like to be able to do the same thing
via buildout.
Note that zc.recipe.egg allows you to set an "unzip = true" flag. It
would be great if an option like this was available globally in buildout
so that "eggs = " sections in the top-level buildout would always be
unzipped.
Agreed.
BTW, there's also an environment variable you can set to tell
setuptools where to unpack things other than ~. You could set up a
directory for this purpose and set the environment variable.
Jim
On Jan 10, 2008, at 11:59 AM, Steve McMahon wrote:
> Public bug reported: /bugs.launchpad .net/bugs/ 181820
>
> I've been trying lately to identify places where the Zope 2 server
> needs
> write access that might be insecure. One spot is the $HOME/.egg-info
> directory used to unpack zipped egg files. I realize that it's Python
> doing this, and not Zope itself, but it's still a security problem if
> the server process needs write access to a directory that contains its
> own code.
>
> I've solved this problem in the past by using easy_install's --always-
> unzip flag when fetching eggs. I'd like to be able to do the same
> thing
> via buildout.
>
> Note that zc.recipe.egg allows you to set an "unzip = true" flag. It
> would be great if an option like this was available globally in
> buildout
> so that "eggs = " sections in the top-level buildout would always be
> unzipped.
>
> ** Affects: zc.buildout
> Importance: Undecided
> Status: New
>
> --
> buildout needs a global egg unzip flag
> https:/
> You received this bug notification because you are the bug contact for
> Buildout.
--
Jim Fulton
Zope Corporation