URL: https://github.com/freeipa/freeipa/pull/204
Title: #204: ipautil.run: Remove hardcoded environ PATH value

pspacek commented:
The approach with wiping env adds another layer of problems, e.g. inability to 
use `KRB5_TRACE` environment variable for debugging etc.

IMHO we should use absolute paths whenever we call an external program and let 
the env be. If an attacker is controling env the game is already over. He could 
mess with `LD_PRELOAD` or any other other current or future sensitive variables.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to