On Mon, Jan 14, 2013 at 11:48:04AM +0100, Jeremie Le Hen wrote: > On Mon, Jan 14, 2013 at 02:16:24AM -0800, Philip Guenther wrote: > > On Mon, Jan 14, 2013 at 1:14 AM, Jeremie Le Hen <jere...@le-hen.org> wrote: > > > On Sun, Jan 13, 2013 at 07:12:23PM +0100, Marc Espie wrote: > > >> On Sun, Jan 13, 2013 at 11:04:08AM -0600, Maximo Pech wrote: > > >> > > > >> > They mandate that on all shell scripts we have to use absolute paths > > >> > for > > >> > every single command. > > >> > > >> That does provide ways less security than setting the PATH to a > > >> system-only > > >> path at the beginning of your script. > > > > > > Can you elaborate on this? From a security point of view only, this > > > looks to me as a draw. If you consider the portability issues then > > > sure, setting PATH is better. > > > > You cut out his next paragraph which gives an example of why: > > > > >> Sure, you invoke programs with an absolute path, but have you checked > > >> that > > >> those programs don't invoke other programs with execvp ? > > > > Hard coding depends on you to actually hard code EVERYWHERE, including > > in paths and commands passed to *other* commands executed from the > > script that you write. If you screw up and miss one, you lose. Set > > PATH and you can't miss one. > > Oh yeah, sorry, I didn't notice the "p" suffix, I just thought of > execve(2).
That's security, so every little detail counts. Miss one ? You lose, obviously. ;-)