[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #18576] -execdir vs. PATH

From: Eric Blake
Subject: [bug #18576] -execdir vs. PATH
Date: Fri, 29 Dec 2006 20:43:41 +0000
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20061204 Firefox/ Mnenhy/

Follow-up Comment #8, bug #18576 (project findutils):

True, any command that invokes another app (nice, su, nohup, ...) can perform
PATH searches.  But is this really find's problem?  It is not sensible to
teach find about every program that invokes one of its arguments as another
program.  Maybe a compromise is in order: if PATH contains relative elements,
find should always issue a warning, regardless of whether command or its
arguments have a /, on the grounds that the invoked command may also cause an
insecure PATH search.  Additionally, if command does not contain /, and a PATH
search encounters a relative path before finding command, then find should
outright fail.  In other words, only fail when find can _prove_ that a
relative path search will occur, but warn the user of the security potential
without worrying about deciphering the semantics of how command will further
parse its arguments.


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]