[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#210243: ITP: xspringies -- Interactive 2D mass/spring simulation system for X

On Mon, Sep 15, 2003 at 04:21:39PM +0100, Steve Kemp wrote:

> On Mon, Sep 15, 2003 at 11:00:35AM -0400, Matt Zimmerman wrote:
> > $PATH is almost always trusted; the exception is setuid programs which
> > should sanitize PATH.  xspringies is not setuid, is it?
>   It is not setuid/setgid no, but I still think it's best to not trust
>  the PATH - sure it's not critical, but it's a good think "just in
>  case".

I think I have to disagree here; hardcoding paths does not, in general,
improve security.  In any case where path is untrusted, the correct solution
is to set a sane PATH
(/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin) and continue
to execute commands as normal.  This way you are not dependent on programs
being installed in a particular location, and if it is necessary for the
administrator to change the path, they can do this in one palce.

 - mdz

Reply to: