Hello again. On Fri, Sep 11, 2015 at 11:43:15AM +0100, Paul Martin wrote: [...] > Should the caller of /sbin/fsck need knowledge about the other paths > where the various fsck.* programs might lurk? It knows where > /sbin/fsck is, and that's all that should matter. It could even be > argued that implicitly trusting the PATH might be a security problem.
I don't follow how it would be a security problem. The caller is in control of the environment. There is no privilegies escalation anywhere in util-linux. The caller is also in control of alot more then the environment, like for example which arguments are used.... I agree that it's stupid that callers will have to know where all helpers might be located. It's also stupid if fsck has to hunt down all places helpers might be located. This is just how the current state of things are .... nothing I can do anything about. > > If btrfs wishes not to follow the rest (and put its admin tools in > /bin rather than /sbin, with no compatibility symlinks), it's broken > too. I agree and that's why I filed #798072 to make maintainer aware of this. It got no traction with the maintainer..... This is apparently the new world order, to which we need to adapt. > > Incidentally, your suggestion of unsetting PATH means that btrfs > filesystems can't be checked by /sbin/fsck. That was my point, but unless you know the correct path to pass I'd say not passing any PATH at all is better the passing an incorrect one. If cryptmount sanitized the environment (if it did not want the user to be in control of the environment) it would not run into the problem you initially reported. If you want to argue against the new world order, please do so with upstream and/or maintainers of affected helpers. Regards, Andreas Henriksson
