[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: all xterms

On Tue, Nov 02, 1999 at 05:35:32PM -0500, Daniel Burrows wrote:
> On Tue, Nov 02, 1999 at 07:05:20PM +0100, Tomasz Wegrzanowski was heard to say:
> > Ive sent a patch making pgp and gpg able to lie enywhere shell can find them
> > (in $PATH I mean) but it was ignored by maintainer who doesnt consider mutt's
> > way wrong one.
> 
>   I think I can guess at least one possible reason for doing this.  By searching
> anywhere in the path, especially with these particular programs, you
> introduce a *potential* security hole.  Knowing exactly which pgp/gpg binary
> you're running is a Good Thing. [2]

NO, you are completely WRONG.
If one have $PATH pointing to world-writable directory he has
already NO security AT ALL ! This is not *potential* security hole.

>   Daniel
> 
>   [2] Yes, if you have a small path (/bin:/usr/bin:/usr/local/bin) this isn't `
>      likely to be a problem, but hardcoding the path will be equally secure on
>      all setups including those with unholy default paths ;-).

It wont be secure cause I wont be able to check signature's validity
if I install pgp to /usr/local/ or /opt/ or any else place in the $PATH
This is bad for security.
Reply to: