Re: CDPATH and shell scripts
On Thu, Jul 2, 2009 at 5:26 PM, Russ Allbery<email@example.com> wrote:
> Jonathan Yu <firstname.lastname@example.org> writes:
>> How to fix them? Write Perl scripts, and turn on taint checking --
>> that fixes the four issues above, because it makes the script exit if
>> any of them look dangerous. Env::Sanctify::Auto is a Perl module that
>> automatically cleans up the paths.
>> My advice:
>> 1. Write scripts that might be run as root (or setuid root) using Perl
>> 2. Turn on taint checking
>> 3. Consider using Env::Sanctify::Auto (shameless plug)
> I would really prefer that people not start writing maintainer scripts
> in Perl as a matter of course. Perl is harder to analyze for programs
> like lintian than shell scripts (which are already hard enough).
I agree that all too often many build systems are sort of centered
around Perl, and that can be a bad thing, in terms of maintainability.
On the other hand I don't think Perl is always unmaintainable -- it
depends on the programmer.
I suppose though that shell scripts are simpler and thus present less
of a cognitive load for programmers, so that might be why it's
perceived to be more maintainable/easier to analyze.
On the other hand, you're going to run into security issues due to the
aforementioned variables, in any language that doesn't provide a check
(like Perl's taint mode).
Perhaps it could be established in Policy as a best practice to set
those environment variables at the beginning of execution, and carry
them throughout. Or to use a simple Perl or Shell script wrapper which
would clear all those variables before exec'ing to the desired
Security versus convenience is a common debate, and it's no different here.
Another option might be to break from POSIX/etc policy (I'm not sure
where these variables are defined) and patch our command like 'cd' to
simply ignore 'CDPATH' etc. But I suppose this would then require
patches in all the various shells available for Debian to go against
something standardized for so long.
It's a contentious issue. I wish everyone all the best trying to
figure it out, it's scary stuff indeed.