Re: all xterms
On Tue, Nov 02, 1999 at 05:35:32PM -0500, Daniel Burrows wrote:
> On Tue, Nov 02, 1999 at 07:05:20PM +0100, Tomasz Wegrzanowski was heard to say:
> > Ive sent a patch making pgp and gpg able to lie enywhere shell can find them
> > (in $PATH I mean) but it was ignored by maintainer who doesnt consider mutt's
> > way wrong one.
>
> I think I can guess at least one possible reason for doing this. By searching
> anywhere in the path, especially with these particular programs, you
> introduce a *potential* security hole. Knowing exactly which pgp/gpg binary
> you're running is a Good Thing. [2]
NO, you are completely WRONG.
If one have $PATH pointing to world-writable directory he has
already NO security AT ALL ! This is not *potential* security hole.
> Daniel
>
> [2] Yes, if you have a small path (/bin:/usr/bin:/usr/local/bin) this isn't `
> likely to be a problem, but hardcoding the path will be equally secure on
> all setups including those with unholy default paths ;-).
It wont be secure cause I wont be able to check signature's validity
if I install pgp to /usr/local/ or /opt/ or any else place in the $PATH
This is bad for security.
Reply to: