URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value
mbasti-rh commented: """ > PATH is untrustworthy because there is no knowing what is in it, or the > order. It could easily have /usr/local/bin first and some rogue version of a > program installed there, or it could have something in ~/bin. Calling exec() > is dangerous by its very nature so we opted to be paranoid. > /usr/bin is untrostworthy in the same way, you dont know if an attacker changed some binary files, should we have fingerprints and check before exec? AFAIK path is the standard way how to say programs where should check for binarries if they are installed in nonstandard directory In case that enviroment variables are really considered to be an security risk in a way you are saying, then I have bad news: - our custom path can be overriden by attacker - this kind of attack can be currently done directly from python we don't need anything else in IPA, so our ipautil.run() cannot save users - you can easily DOS a user of IPA And this should be platform dependent, so we should move path to ipaplatform > Your archaeology is right, this wasn't exactly documented. Perhaps it was > discussed on IRC in relation to the bug but I remember talking to Simo about > this. It wasn't documented. That is not nice if this is a security feature """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257663432
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
