Monday, April 30, 2018

Re: Best Practices python virtualenv

The only difference is venv creates link to python, it does not copy binary
itself.
You now have
python3 -> /usr/local/bin/python3
in your venv.

Since /usr/local/ has wxallowed by default (see your /etc/fstab) it works.

Does it affect security?

In theory -- yes, because python can now create WX pages.
One may say that it sounds paranoic, and in fact it is,
but OpenBSD is _paranoic_ about security.
That is why it has W^X.

They left wxallowed for /usr/local because there are a lot
of software in ports, written by less "secure paranoics" than openbsd
developers, and
this software needs WX.

Some python packages are good examples.

Python port maintainer added wxneeded to python because
of these packages.

But if you do not use any of these packages, you can
disable wxneeded removing any (theoretical) threat that may use WX.

That will make python more secure and (as side-effect) fix virtualenv
problems.

It is less important for developer laptop, but if you can improve security,
why
not?

You will not create "big security hole" with your current approach.
You will not create it even by adding wxallowed to /home.
So, it is not a critical issue.

But I feel that decreasing security by running wxneeded app with
out of good reason(if you do not need these packages of course) is not
"OpenBSD way":)

No comments:

Post a Comment