Cannot exec() program outside of /bin if PATH is unset

Eric Blake
Fri Sep 12 23:13:00 GMT 2014

On 09/12/2014 05:03 PM, Eric Blake wrote:
> On 09/12/2014 04:50 PM, Christian Franke wrote:
>> Andrey Repin wrote:
>>>> Hmm... is postfix actually broken?
>>>> Unsetting PATH is IMO sane (from the POSIX POV) if all exec() calls use
>>>> absolute path names.
>>> If all exec() calls are made with full paths, unsetting $PATH does not
>>> improve
>>> security in any way,
>> Of course. But postfix could be configured to run "unknown" external
>> programs through its various daemons. In this case, a fixed (here:
>> empty) PATH improves security. If not convinced, please discuss with the
>> author of postfix :-)
> An empty PATH leaves it up to the implementation what helpers get run
> (if it doesn't fall over first), which is LESS secure than a guaranteed
> safe PATH of confstr(_CS_PATH).

By the way, passing a _safe_ PATH to your child process IS a good idea
for security-conscious programs, but you have to do it correctly (by
passing an actual safe path, and NOT by completely unsetting PATH).

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 539 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Cygwin mailing list