Security and $PATH
guido at mcvax.UUCP
guido at mcvax.UUCP
Wed Aug 3 03:00:49 AEST 1983
There is another point concerned that came to my mind when reading the
original article that Guy Harris doesn't touch. When a program which
lives, e.g., in /bin, uses other programs out there (say, "sort"), it
should either specify the full pathname (but surely this makes the program
less portable than desired), or it should explicitly SET THE PATH VARIABLE
before calling execvp() or system(). (I think you need some hacking
with extern char **environ to accomplish this in C.)
I saw this happen (rather harmless, though, in that case) where the "man"
program failed to work due to a shell script called "nroff" in someone's
private bin directory, which shell script called the real nroff after
some manipulations that used a file which had recently disappeared.
You understand this can happen to any program which carelessly uses
system(); and also easily to shell scripts (where the remedy is easiest,
though: start with PATH=/bin:/usr/bin or whatever you need).
Guido van Rossum, Math. Centre, Amsterdam
...!{decvax,philabs,ukc,...}!mcvax!guido
More information about the Comp.unix.wizards
mailing list