From owner-cvs-all@FreeBSD.ORG Fri Jan 5 21:47:24 2007 Return-Path: X-Original-To: cvs-all@FreeBSD.org Delivered-To: cvs-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 561C316A40F; Fri, 5 Jan 2007 21:47:24 +0000 (UTC) (envelope-from gad@FreeBSD.org) Received: from smtp7.server.rpi.edu (smtp7.server.rpi.edu [128.113.2.227]) by mx1.freebsd.org (Postfix) with ESMTP id 1BE7F13C43E; Fri, 5 Jan 2007 21:47:23 +0000 (UTC) (envelope-from gad@FreeBSD.org) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp7.server.rpi.edu (8.13.1/8.13.1) with ESMTP id l05LlLso016577; Fri, 5 Jan 2007 16:47:22 -0500 Mime-Version: 1.0 Message-Id: In-Reply-To: <20061231170411.GA53408@mail.mppsystems.com> References: <200612311107.kBVB7TrP042343@repoman.freebsd.org> <20061231170411.GA53408@mail.mppsystems.com> Date: Fri, 5 Jan 2007 16:47:20 -0500 To: Mike Pritchard , Yar Tikhiy From: Garance A Drosehn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-CanItPRO-Stream: default X-RPI-SA-Score: undef - spam-scanning disabled X-Scanned-By: CanIt (www . canit . ca) Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc rc.subr X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2007 21:47:24 -0000 At 11:04 AM -0600 12/31/06, Mike Pritchard wrote: >On Sun, Dec 31, 2006 at 11:07:29AM +0000, Yar Tikhiy wrote: >> yar 2006-12-31 11:07:29 UTC >> >> FreeBSD src repository >> >> Modified files: >> etc rc.subr >> Log: >> Allow for /usr/bin/env when parsing the shebang line from an >> interpreted $command. Some "portable" sofware packages use such a >> line to skip the task of figuring out the absolute pathname of the >> interpreter at install time, e.g.: >> >> #!/usr/bin/env python >> >> It is insecure, but a popular book on Python seems to have advised >> it to a wide audience. Hence a number of such scripts in the ports, >> mostly written in Python. > >If it's insecure, than why allow it? If the ports need a patch to >make it secure, then they should be patched. The commit-comment makes the change sound more scary than it really is. And while I am a little surprised that nothing seems to set a value for PATH in the /etc/rc.d/* scripts, I do see that: /etc/rc:PATH=/sbin:/bin:/usr/sbin:/usr/bin /etc/rc:export HOME PATH /etc/rc.shutdown:PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin /etc/rc.shutdown:export HOME PATH So, running some script via /usr/bin/env is not an issue during the normal startup and shutdown operations. I guess it theoretically might be an issue when people run a /etc/rc.d/ file by hand, as root, and only if they have already set a dangerous value for PATH. I.e, that administrator *already* has a security issue, and using /usr/bin/env merely means the startup line in some /etc/rc.d/* scripts are not protected from that already-existing security problem. However, this change doesn't actually run anything with /usr/bin/env. It only makes rc.subr work reliably for those scripts which have decided to use /usr/bin/env. On the flip side, the /usr/bin/env trick is explicitly recommended for the perl and ruby communities, in addition to python. The practice is described in multiple books for those languages. It is by far the easiest way to write a portable script. In this case, "portable" also covers scripts which are only running a variety of FreeBSD configurations. It isn't just a matter of portability between FreeBSD vs Linux vs Solaris. It could get quite tricky to write a script which is certain to get the right version of python on every installation of FreeBSD. (This is more of an issue for python and ruby than perl. Perl used to be part of the base system, so we have the special /usr/bin/perl link even when perl is installed from ports. We do not create a special link like that for ruby or python). Yar's comment may have made this change sound scary, but in practice the security exposure for this specific change is zero. I understand what Yar was thinking of when he mentioned it the way he did, but the change itself does not cause any security problem. None. Zero. -- Garance Alistair Drosehn = drosehn@rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA