Re: Re: Bug#210243: ITP: xspringies -- Interactive 2D mass/spring simulation system for X [Steve Kemp <skx@debian.org>, Mon, Sep 15, 2003 at 04:21:39PM +0100, <[🔎] 20030915152139.GA30433@steve.org.uk>] > > $PATH is almost always trusted; the exception is setuid programs which > > should sanitize PATH. xspringies is not setuid, is it? > > It is not setuid/setgid no, but I still think it's best to not trust > the PATH - sure it's not critical, but it's a good think "just in > case". I like to use $PATH with ~/bin at the beginning to allow me to put wrappers around programs. For example I could have a shell script ~/bin/gzip that calls the real gzip after doing some stuff: $!/bin/sh echo "Compressing $1" >> ~/log/gzip.log exec /usr/bin/gzip "$@" It doesn't make much sense in this example, but I'd find it rather annoying if packages would have hardcoded paths compiled in. Some weeks ago there was a discussion whether mutt should call /usr/bin/gpg rather than gpg because "gpg was security critical". I have a ~/bin/gpg that calls a agent-enabled version of gpg, which makes perfectly sense. Christoph -- Christoph Berg <cb@df7cb.de>, http://www.df7cb.de/ Wohnheim D, 2405, Universität des Saarlandes, 0681/9657944
Attachment:
pgpbmO6zhGWvo.pgp
Description: PGP signature