On Sun, Dec 31, 2006 at 11:04:11AM -0600, Mike Pritchard wrote: > On Sun, Dec 31, 2006 at 11:07:29AM +0000, Yar Tikhiy wrote: > > yar 2006-12-31 11:07:29 UTC > > > > FreeBSD src repository > > > > Modified files: > > etc rc.subr > > Log: > > Allow for /usr/bin/env when parsing the shebang line from an > > interpreted $command. Some "portable" sofware packages use such a > > line to skip the task of figuring out the absolute pathname of the > > interpreter at install time, e.g.: > > > > #!/usr/bin/env python > > > > It is insecure, but a popular book on Python seems to have advised > > it to a wide audience. Hence a number of such scripts in the ports, > > mostly written in Python. > > If its insecure, than why allow it? If the ports need a patch to make it > secure, then they should be patched. > > I don't like seeing something from rc.subr with a comment about it > being less secure....
It's only a security problem in the case of an insecure path. This isn't generally the case for rc.d's execution context. It's only a security issue of administrators are stupid enough to place untrustworthy directories such as "." in root's path. -- Brooks
pgpDK6Qb7dv49.pgp
Description: PGP signature
