Bug#210243: ITP: xspringies -- Interactive 2D mass/spring simulation system for X
On Mon, Sep 15, 2003 at 04:21:39PM +0100, Steve Kemp wrote:
> On Mon, Sep 15, 2003 at 11:00:35AM -0400, Matt Zimmerman wrote:
>
> > $PATH is almost always trusted; the exception is setuid programs which
> > should sanitize PATH. xspringies is not setuid, is it?
>
> It is not setuid/setgid no, but I still think it's best to not trust
> the PATH - sure it's not critical, but it's a good think "just in
> case".
I think I have to disagree here; hardcoding paths does not, in general,
improve security. In any case where path is untrusted, the correct solution
is to set a sane PATH
(/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin) and continue
to execute commands as normal. This way you are not dependent on programs
being installed in a particular location, and if it is necessary for the
administrator to change the path, they can do this in one palce.
--
- mdz
Reply to: