Mailinglist Archive: yast-devel (73 mails)

< Previous Next >
Re: [yast-devel] Moving stuff from /sbin /bin /lib /lib64 to /usr/*
On Mon, 7 Jul 2014 14:17:40 +0200
Arvin Schnell <aschnell@xxxxxxx> wrote:

On Mon, Jul 07, 2014 at 02:11:48PM +0200, Lukas Ocilka wrote:
On 7.7.2014 14:07, Josef Reidinger wrote:

I have general question and I think answer to it should be
somewhere written as documented decision.

Why we use absolute path to binary? I think proper set PATH in
environment should be goal and use common path. Also from security
point of view it is quite useless because if PATH is attacked, then
also any real root action is attacked.

Sure, I myself also prefer the shorter way, but I think it was
because of security. Let's ask our security expert if this is
really the case, or whether it has changed meanwhile.

Bug https://bugzilla.novell.com/show_bug.cgi?id=794084 mentions
some reasons.

Regards,
Arvin


I see some reasons, but I worry that we need to proper fix PATH
otherwise

1) any call that do not have absolute path is security problem ( I know
a lot of places where we call e.g. sed without absolute path, so simple
fake sed in some location can be used to get root permissions )
2) if some module need path that is not standard, then it is up to
module to properly set it or use absolute path
3) we are affected by changes of binary as showed above

Josef
--
To unsubscribe, e-mail: yast-devel+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: yast-devel+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups