Brock Rozen <[EMAIL PROTECTED]> wrote: > Essentially, my proposal is trying to solve one problem, and one problem > only -- the inability to reach a certain program because the PATH has been > changed/deleted/whatever. The solution to that is adding a simple PATH > line that appends whatever PATH that particular script may need to the > current PATH set in the environment. > > Does it hurt anything?
Yes. In general it's safer to fully specify root's $PATH rather than trust what was inherited from the parent. However: I don't think that this guideline alone is sufficient to set policy on. Security policy must be well thought out and comprehensive. Debian ought to do what it can to make it easy for people to implement local security policy but except for limited application domains I don't think we can ever go far enough. [What's good security on one system can be denial of service on another.] If we could come up with a single canonical root path that was adequate for all packages that might be a good thing. But even there you'd have to be very careful of edge conditions. -- Raul
