Bug#392586: tetex-bin: Insecure $ENV{PATH} while running setuid at /usr/bin/epstopdf line 211.
Dr. Tilo Levante wrote:
> Package: tetex-bin
> Version: 3.0-19
> Severity: normal
>
>
> I use epstopdf in a setuid script (backend for cups, needs access to
> some directories), and get the error above.
>
> Solution was to add the line
> $ENV{"PATH"} = "/usr/bin:/usr/sbin:/bin:/usr/bin";
> in /usr/bin/epstopdf.
Do I understand you correctly that you are calling epstopdf from some
other program? I don't understand why it should be epstopdf's business
to care for a secure environment then. After all, epstopdf is a program
for general use and I might want to use it with a ghostscript binary
outside the above list of directories. This would be needlessly
difficult after such a change. IMO the calling program should set up
PATH in a secure way.
cheerio
ralf
Reply to: