[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "make check" failure [with "." at beginning of PATH]

From: Micah Cowan
Subject: Re: "make check" failure [with "." at beginning of PATH]
Date: Sun, 10 Feb 2008 03:35:40 -0800
User-agent: Thunderbird (X11/20071022)

Hash: SHA1

Jim Meyering wrote:
>> PATH is a personal preference. Many people set it like I do. Don't expect
>> that PATH is set like you prefer it.
> I'd argue that few people put "." anywhere in PATH, since
> doing so constitutes a well-known security risk.
> I'm surprised that you would put "." before directories like /usr/bin.

I suppose one should point out, at this juncture, that default
installations of OpenBSD have "." at the end of their definition for
PATH, in non-root accounts. Apparently, their rationale is that it's
"not too bad", and is better to do it a semi-okay way themselves in a
default install, than to let users do it themselves, running the risk
that they uncluefully PLACE IT AT THE FRONT.

I don't write this to invite flames or discussion on whether OpenBSD's
practice (or Bruno's) is an advisable one, or to encourage a debate on
whether . should be in the PATH at all. But, when a set of developers
who have a reputation for being "secure by default" opt for a default
configuration that is traditionally considered by many to be
less-than-secure, for the concern that some people might do something
that pretty much _everyone_ believes is insecure, it would seem very,
very advisable to avoid the latter.

See the OpenBSD thread at

Again, I'm not trying to start a flamewar here; if you read the thread
there and still feel that your practice is safe, no need to argue the
point here. And I'll concede that the issue is much less serious for
people who are the sole user on the system in question. I just wanted to
point out that, AFAICT, there's no pros, and significant cons, to
placing "." at the head of PATH.

- --
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer...
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


reply via email to

[Prev in Thread] Current Thread [Next in Thread]