[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bashbug chooses wrong $EDITOR executable

From: Bob Proulx
Subject: Re: bashbug chooses wrong $EDITOR executable
Date: Sat, 20 Jun 2009 17:13:56 -0600
User-agent: Mutt/1.5.18 (2008-05-17)

Chet Ramey wrote:
> Bob Proulx wrote:
> > It seems okay to leave PATH alone to me.  Why set it at all?
> > 
> > I don't see the security issue that you are concerned about.  Could
> > you educate me?
> I suppose it's not a large security hole if $EDITOR is used, only
> when bashbug chooses $DEFEDITOR.

Even then I don't see any security hole there.  The PATH is already
set when the script is invoked.  It is the PATH the caller wishes to
use, invoking the $EDITOR command the caller wishes to invoke.  I see
no privilege escalation there.

> Frankly, though, it's a good idea to set PATH to have the standard
> binary directories before any others when writing a shell script,
> especially one that can be run by root.  That's just good practice.

I respectfully disagree.  Strongly!  :-) PATH is a configuration of
the caller's environment.  It isn't a good idea to change it just to
override the caller's desired environment.  Normal programs should not
be changing it against the caller's wishes.  (By normal in this case I
mean programs that don't change the privilege level, meaning not 'su'
or 'sudo' or so forth.)

I think for the purposes of invoking $EDITOR that the caller's PATH
should be respected.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]