[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bashims in debian/rules

Simon Kagedal:
> [someone Simon does not identify:]
> > So it's a good thing not rely on fixed paths for programs. I like the
> > suggestion for SHELL=`which bash` very much.

There is not so much of a problem with using a fixed path for a
program like bash which is also a script interpreter.  They have to
have defined locations anyway, for #! lines.  So, /bin/bash is
guaranteed to exist and we can use it.  Are you sure that
SHELL=`which bash` doesn't cause it to be repeatedly evaluated ?
Also, I'm not sure I'd trust `which' so much.  `which' &co frequently
have odd behaviours, and the user might have a `which' script which
doesn't something different.

> But isn't there a security problem with that? Someone could've put a
> hacked bash in your path or something...

<fx: extreme sarcasm>
Oh no !  Horror !  Why didn't we think of that ?  Shit !  I must
remember that every time I type `ls' I should be typing `/bin/ls' in
case someone has put a hacked `ls' on my PATH ...

Seriously, you have obviously been reading too much about security
holes without understanding the complaints.  PATH is only dangerous if
it is used by a privileged program when it came from an untrusted
environment.  The debian/rules script has to trust the environment
anyway, and has no special privilege.

> (btw, isn't SHELL=bash the same? Make searches PATH itself,
> doesn't it?)

If it does then we should do SHELL=bash.  Otherwise IMO we should do


TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: