URL: https://github.com/freeipa/freeipa/pull/204
Title: #204: ipautil.run: Remove hardcoded environ PATH value

mbasti-rh commented:
> PATH is untrustworthy because there is no knowing what is in it, or the 
> order. It could easily have /usr/local/bin first and some rogue version of a 
> program installed there, or it could have something in ~/bin. Calling exec() 
> is dangerous by its very nature so we opted to be paranoid.

/usr/bin is untrostworthy in the same way, you dont know if an attacker changed 
some binary files, should we have fingerprints and check before exec?

AFAIK path is the standard way how to say programs where should check for 
binarries if they are installed in nonstandard directory

In case that enviroment variables are really considered to be an security risk 
in a way you are saying, then I have bad news:
- our custom path can be overriden by attacker
- this kind of attack can be currently done directly from python we don't need 
anything else in IPA, so our ipautil.run() cannot save users
- you can easily DOS a user of IPA

And this should be platform dependent, so we should move path to ipaplatform

> Your archaeology is right, this wasn't exactly documented. Perhaps it was 
> discussed on IRC in relation to the bug but I remember talking to Simo about 
> this.

It wasn't documented.
That is not nice if this is a security feature

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to