[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /etc/init.d scripts WAS: Re: start-stop-daemon on Debian (fwd)



Brock Rozen <brozen@torah.org> wrote:
> Essentially, my proposal is trying to solve one problem, and one problem
> only -- the inability to reach a certain program because the PATH has been
> changed/deleted/whatever. The solution to that is adding a simple PATH
> line that appends whatever PATH that particular script may need to the
> current PATH set in the environment.
> 
> Does it hurt anything? 

Yes.

In general it's safer to fully specify root's $PATH rather than trust
what was inherited from the parent.

However: I don't think that this guideline alone is sufficient to set
policy on.  Security policy must be well thought out and comprehensive.
Debian ought to do what it can to make it easy for people to implement
local security policy but except for limited application domains I don't
think we can ever go far enough.

[What's good security on one system can be denial of service on another.]

If we could come up with a single canonical root path that was adequate
for all packages that might be a good thing.  But even there you'd have
to be very careful of edge conditions.

-- 
Raul


Reply to: