cvs commit: src/etc rc.subr
brooks at one-eyed-alien.net
Tue Jan 2 13:11:09 PST 2007
On Sun, Dec 31, 2006 at 11:04:11AM -0600, Mike Pritchard wrote:
> On Sun, Dec 31, 2006 at 11:07:29AM +0000, Yar Tikhiy wrote:
> > yar 2006-12-31 11:07:29 UTC
> > FreeBSD src repository
> > Modified files:
> > etc rc.subr
> > Log:
> > Allow for /usr/bin/env when parsing the shebang line from an
> > interpreted $command. Some "portable" sofware packages use such a
> > line to skip the task of figuring out the absolute pathname of the
> > interpreter at install time, e.g.:
> > #!/usr/bin/env python
> > It is insecure, but a popular book on Python seems to have advised
> > it to a wide audience. Hence a number of such scripts in the ports,
> > mostly written in Python.
> If its insecure, than why allow it? If the ports need a patch to make it
> secure, then they should be patched.
> I don't like seeing something from rc.subr with a comment about it
> being less secure....
It's only a security problem in the case of an insecure path. This
isn't generally the case for rc.d's execution context. It's only
a security issue of administrators are stupid enough to place
untrustworthy directories such as "." in root's path.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20070102/b0d3f837/attachment.pgp
More information about the cvs-src