Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 2 Jan 2007 15:00:05 -0600
From:      Brooks Davis <brooks@one-eyed-alien.net>
To:        Mike Pritchard <mpp@mppsystems.com>
Cc:        cvs-src@FreeBSD.org, Yar Tikhiy <yar@FreeBSD.org>, src-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/etc rc.subr
Message-ID:  <20070102210005.GA8060@lor.one-eyed-alien.net>
In-Reply-To: <20061231170411.GA53408@mail.mppsystems.com>
References:  <200612311107.kBVB7TrP042343@repoman.freebsd.org> <20061231170411.GA53408@mail.mppsystems.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--2fHTh5uZTiUOsy+g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Dec 31, 2006 at 11:04:11AM -0600, Mike Pritchard wrote:
> On Sun, Dec 31, 2006 at 11:07:29AM +0000, Yar Tikhiy wrote:
> > yar         2006-12-31 11:07:29 UTC
> >=20
> >   FreeBSD src repository
> >=20
> >   Modified files:
> >     etc                  rc.subr=20
> >   Log:
> >   Allow for /usr/bin/env when parsing the shebang line from an
> >   interpreted $command.  Some "portable" sofware packages use such a
> >   line to skip the task of figuring out the absolute pathname of the
> >   interpreter at install time, e.g.:
> >  =20
> >           #!/usr/bin/env python
> >  =20
> >   It is insecure, but a popular book on Python seems to have advised
> >   it to a wide audience.  Hence a number of such scripts in the ports,
> >   mostly written in Python.
>=20
> If its insecure, than why allow it?  If the ports need a patch to make it
> secure, then they should be patched. =20
>=20
> I don't like seeing something from rc.subr with a comment about it
> being less secure....

It's only a security problem in the case of an insecure path.  This
isn't generally the case for rc.d's execution context.  It's only
a security issue of administrators are stupid enough to place
untrustworthy directories such as "." in root's path.

-- Brooks

--2fHTh5uZTiUOsy+g
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQFFmsfUXY6L6fI4GtQRAm1oAJwOPp9NWYxRE0dyqdPbpTA/H8Y0iACfUqqs
M2CkWo0uZDfrbN95/f4m/r8=
=cbPy
-----END PGP SIGNATURE-----

--2fHTh5uZTiUOsy+g--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070102210005.GA8060>