Re: Should I redefine PATH in my shell scripts



On Nov 27, 9:25 pm, Barry Margolin <bar...@xxxxxxxxxxxx> wrote:
In article <87tz9t55lu....@xxxxxxxxxxx>,
 Maxwell Lol <nos...@xxxxxxxxxxx> wrote:

James Kanze <james.ka...@xxxxxxxxx> writes:
If it is a script that might be executed as root, it is
absolutely essential, for security reasons, that you set
your path.  Otherwise, you don't know what you're getting.
 Which is a definite no-no as root.

Definite? I don't agree.

I don't think you can assume a script writer knows
more about the security of a system than the system admin.

James Kanze seems to be thinking of a script that's run by
root but with PATH somehow set by a non-root.  This could
conceivably happen if the OS allows setuid scripts, but
doesn't set a default PATH when performing the uid change.
 This would be analogous to a system that didn't reset
LD_LIBRARY_PATH when exec'ing a setuid executable.

Yes. Since it is a situation that I've actually seen. But even
otherwise; the person working as root could have set some other
path, in order to get the version of the utility he wants, but
that version could cause problems with your script. The person
who set the path knows which version of the utility he will get,
and how it behaves; the only way you, as a script author, can
know that is if you set the path.

--
James Kanze (GABI Software) email:james.kanze@xxxxxxxxx
Conseils en informatique orientée objet/
Beratung in objektorientierter Datenverarbeitung
9 place Sémard, 78210 St.-Cyr-l'École, France, +33 (0)1 30 23 00 34
.



Relevant Pages

  • Re: Should I redefine PATH in my shell scripts
    ... absolutely essential, for security reasons, that you set your ... a definite no-no as root. ... I don't think you can assume a script writer knows ... allows setuid scripts, but doesn't set a default PATH when performing ...
    (comp.unix.shell)
  • Re: Can I set the access level to the files with specified suffix when creating?
    ... script as executable using chmod, and there are security reasons ... Only root or the owner of a script can chmod the ...
    (linux.redhat)
  • IBM Informix Web DataBlade: Local root by design
    ... IBM Informix Web DataBlade: Local root by design ... Impact: Any user who can: 1) Save a Perl script anywhere on the server's ... admin right on any database can do it by loading the WDB module into ...
    (Bugtraq)
  • RE: Linux hacked
    ... I would also suggest using a simple script in the future that alerts ... Subject: Linux hacked ... To get back into your account you want to use, at the boot manager ... boot normally and you should be able to login as root with your new ...
    (Security-Basics)
  • Root hints updates
    ... This is a script to automagically update the root hints file. ... a copy from the existing root servers - yes, it will deal with the case ... It verifies FTP transfers. ...
    (comp.protocols.dns.bind)