On Mon, 2018-01-29 at 09:16 +0800, Kang-Che Sung wrote:
> On Mon, Jan 29, 2018 at 2:51 AM, Bernd Petrovitsch
> <[email protected]> wrote:
> > On Fri, 2018-01-26 at 15:15 +0100, Denys Vlasenko wrote:
> > > On Fri, Jan 26, 2018 at 9:34 AM, Paul Otto <[email protected]> wrote:
> >
> > [...]
> > > > According to the BASH documentation, the source command should:
> > > > Read and execute commands from filename in the current shell
> > > > environment
> > > > and return the exit status of the last command executed from filename.
> > > > If
> > > > filename does not contain a slash, filenames in PATH are used to
> > > > find the
> > > > directory containing filename. The file searched for in PATH need
> > > > not be
> > > > executable. When bash is not in posix mode, the current
> > > > directory is
> > > > searched if no file is found in PATH.
> > >
> > > I wish bash wouldn't introduce gratuitous standard violations.
> >
> > I see such begaviour more as a security problem - there are good
> > reasons not using "." automagically in $PATH (like DOS did .....).
>
> The problem with DOS/Windows is that they prioritize "." (working directory)
> over PATH when searching commands, which can cause security problems.
> Bash actually considers "." last, which is less of the security threat (unless
> you're setting a shell environment when user doesn't even have permission to
> adjust $PATH).
>
> For reference, here is the rationale in POSIX:
>
> http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#dot
>
> "Some older implementations searched the current directory for the [file],
> even if the value of [PATH] disallowed it. This behavior was omitted from this
> volume of POSIX.1-2008 due to concerns about introducing the susceptibility to
> trojan horses that the user might be trying to avoid by leaving _dot_ out of
> [PATH]."
And good so that the implicit '.' is gone.
People can add "." to $PATH anyways if they want.
And it may be less risky, if the implicit "." is at the end of $PATH
instead of the front, but (at least;-) I mistype commands often enough
and the list of aliases/shell functions a la "alias gerp=grep" keeps
growing - apparently not only for a better user interface.
Kind regards,
Bernd
--
Bernd Petrovitsch Email : [email protected]
LUGA : http://www.luga.at
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
