Cannot exec() program outside of /bin if PATH is unset
Eric Blake
eblake@redhat.com
Fri Sep 12 23:13:00 GMT 2014
On 09/12/2014 05:03 PM, Eric Blake wrote:
> On 09/12/2014 04:50 PM, Christian Franke wrote:
>> Andrey Repin wrote:
>>>> Hmm... is postfix actually broken?
>>>> Unsetting PATH is IMO sane (from the POSIX POV) if all exec() calls use
>>>> absolute path names.
>>> If all exec() calls are made with full paths, unsetting $PATH does not
>>> improve
>>> security in any way,
>>
>> Of course. But postfix could be configured to run "unknown" external
>> programs through its various daemons. In this case, a fixed (here:
>> empty) PATH improves security. If not convinced, please discuss with the
>> author of postfix :-)
>
> An empty PATH leaves it up to the implementation what helpers get run
> (if it doesn't fall over first), which is LESS secure than a guaranteed
> safe PATH of confstr(_CS_PATH).
By the way, passing a _safe_ PATH to your child process IS a good idea
for security-conscious programs, but you have to do it correctly (by
passing an actual safe path, and NOT by completely unsetting PATH).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 539 bytes
Desc: OpenPGP digital signature
URL: <http://cygwin.com/pipermail/cygwin/attachments/20140912/b584aa3a/attachment.sig>
More information about the Cygwin
mailing list