Mailinglist Archive: yast-devel (73 mails)

< Previous Next >
Re: [yast-devel] Moving stuff from /sbin /bin /lib /lib64 to /usr/*
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi.

Am 07.07.2014 14:11, schrieb Lukas Ocilka:
On 7.7.2014 14:07, Josef Reidinger wrote:
On Mon, 07 Jul 2014 14:01:15 +0200 Lukas Ocilka
<lukas.ocilka@xxxxxxxx> wrote:
[...]

I have general question and I think answer to it should be
somewhere written as documented decision.

Why we use absolute path to binary? I think proper set PATH in
environment should be goal and use common path. Also from
security point of view it is quite useless because if PATH is
attacked, then also any real root action is attacked.

For me it is more native to write "rm -rf /" and not
"/usr/bin/rm -rf /".

Sure, I myself also prefer the shorter way, but I think it was
because of security. Let's ask our security expert if this is
really the case, or whether it has changed meanwhile.

I would suggest to set PATH to a safe value (/bin, /sbin, /usr/bin,
/usr/sbin, maybe more) in your code and use the short form of the
command for your convenience. This also increase the stability of your
code.

Attacking code via PATH is only interesting in scenarios where a
normal user can execute a privileged binary (setuid, for example) and
this privileged code relies on PATH or other environment variables.
If you use sudo/su the PATH should be ok. The same for calling it
directly as root.

HTH
Thomas
- --
Thomas Biege <thomas@xxxxxxx>, Team Leader MaintenanceSecurity, CSSLP
SUSE LINUX Products GmbH
GF: Jeff Hawn, Jennifer Guild, Felix Imend├Ârffer
HRB 21284 (AG N├╝rnberg)
- --
Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
-- Marie von Ebner-Eschenbach
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTu7/9AAoJEJqHoVJVjr8DiGsH/1SpZ4NTct+BtIKoUcitoqJe
/AyynwYwRgTGLnEQLJtCWRbv9VAPIi4jtRFcEdB1X9f/MzHJ1bhzJSp992+UQqjp
4e4TPLKCKzHVQxAKyg5iEZurjo4Ui2qm7K5uAe/4k9Wz1PfA6ztIyOLPqfmAPLN4
fCrvbHa4hHorUJbl/nRCh0IJvxwy2vyhhLTjubrf9fScfy2UV+tg6DhnFFf42rgo
wNYivs6e9IxW55tlEK474WnFDFxGNkFhxZ5bZBmOHgafl6FGN56RVspZAZDkST0S
jDbEnsD1Ki6GY62eTGqcSy0T+NAhdwhLjrYH0MtpzFASut2ZjyQwbBJZApccyd0=
=ab7a
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: yast-devel+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: yast-devel+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups