Timeline for shebang and path
Current License: CC BY-SA 3.0
5 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 26, 2011 at 7:46 | comment | added | Rory Alsop | @Gilles - +1 you have a good point, definitely, as if this is broken there are probably other ways in that are just as valid, however in terms of broken things you can fix, this is an easy one. | |
| Apr 25, 2011 at 17:38 | comment | added | Gilles 'SO- stop being evil' |
Could you give an example of a case where PATH is an attack vector, and there aren't so many other attack vectors that the whole approach should be rethought?
|
|
| Apr 24, 2011 at 16:16 | comment | added | Rory Alsop | Your point about setxid is valid, however it is a perfectly useful attack vector so definitely isn't a false warning | |
| Apr 24, 2011 at 15:21 | comment | added | Gilles 'SO- stop being evil' |
This concern only applies if the script is running with elevated privileges. And that's uncommon, because shebang and setxid don't play well together, and there's a lot more to worry about than $PATH.. Without elevated privileges, what if LD_PRELOAD is used? P.S. Downvoted because giving a false warning about security is detrimental to security.
|
|
| Apr 24, 2011 at 10:01 | history | answered | Rory Alsop | CC BY-SA 3.0 |