On Mon, Jan 14, 2013 at 02:16:24AM -0800, Philip Guenther wrote: > On Mon, Jan 14, 2013 at 1:14 AM, Jeremie Le Hen <jere...@le-hen.org> wrote: > > On Sun, Jan 13, 2013 at 07:12:23PM +0100, Marc Espie wrote: > >> On Sun, Jan 13, 2013 at 11:04:08AM -0600, Maximo Pech wrote: > >> > > >> > They mandate that on all shell scripts we have to use absolute paths for > >> > every single command. > >> > >> That does provide ways less security than setting the PATH to a system-only > >> path at the beginning of your script. > > > > Can you elaborate on this? From a security point of view only, this > > looks to me as a draw. If you consider the portability issues then > > sure, setting PATH is better. > > You cut out his next paragraph which gives an example of why: > > >> Sure, you invoke programs with an absolute path, but have you checked that > >> those programs don't invoke other programs with execvp ? > > Hard coding depends on you to actually hard code EVERYWHERE, including > in paths and commands passed to *other* commands executed from the > script that you write. If you screw up and miss one, you lose. Set > PATH and you can't miss one.
Oh yeah, sorry, I didn't notice the "p" suffix, I just thought of execve(2). Thanks for the clarification. Regards, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.