On Mon, Sep 15, 2003 at 04:21:39PM +0100, Steve Kemp wrote: > On Mon, Sep 15, 2003 at 11:00:35AM -0400, Matt Zimmerman wrote: > > > $PATH is almost always trusted; the exception is setuid programs which > > should sanitize PATH. xspringies is not setuid, is it? > > It is not setuid/setgid no, but I still think it's best to not trust > the PATH - sure it's not critical, but it's a good think "just in > case".
I think I have to disagree here; hardcoding paths does not, in general, improve security. In any case where path is untrusted, the correct solution is to set a sane PATH (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin) and continue to execute commands as normal. This way you are not dependent on programs being installed in a particular location, and if it is necessary for the administrator to change the path, they can do this in one palce. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
