On 01/13/13 12:03, Maximo Pech wrote: > At work, we have an "information security" area for IT. > > They mandate that on all shell scripts we have to use absolute paths for > every single command. > > I feel that this does not provide real security and only makes scripts > somewhat more painful to write. > > What's your opinion on this? >
I'm not too impressed by this plan for system scripts. If someone got in to add files to default path...they've already been in your system. They are worried about someone dropping a new "perl" in /sbin which does something you aren't desiring, but if they can do that, they can generally modify the /usr/bin/perl or similar. It sounds like a lot of modern model security...let 'em in, make their life "difficult" once they are there (oh, and really annoy administrators in the mean time). "pain = security", right? (oh, and "difficult" can mean "make 'em die laughing"). Now...if you are talking about scripts that ordinary users are intended to run, slightly different story, as users are relatively easy to trick into changing their $PATH and/or adding things to $HOME/bin... or doing it on their own, and wondering why YOUR script blew up shortly after they installed their own custom 'cp' command, and put it in their path before your silly, boring system 'cp'... Nick.
