W dniu pią, 08.09.2017 o godzinie 14∶48 -0400, użytkownik Alec Warner napisał: > Why PATH=/dev/null vs export PATH=""
+ # note: we can't use empty because it implies current directory > > On Thu, Sep 7, 2017 at 3:36 AM, Michał Górny <mgo...@gentoo.org> wrote: > > > Dnia 31 sierpnia 2017 22:45:42 CEST, "Michał Górny" <mgo...@gentoo.org> > > napisał(a): > > > Set PATH to /dev/null when sourcing the ebuild for dependency > > > resolution > > > in order to prevent shell from finding external commands via PATH > > > lookup. While this does not prevent executing programs via full path, > > > it > > > should catch the majority of accidental uses. > > > > > > Closes: https://github.com/gentoo/portage/pull/199 > > > > > > // Note: this can't be merged right now since we still have ebuilds > > > // calling external commands; see: > > > // https://bugs.gentoo.org/show_bug.cgi?id=629222 > > > > Update: gentoo is green now > > > > > --- > > > bin/ebuild.sh | 6 +++++- > > > bin/isolated-functions.sh | 4 ++++ > > > 2 files changed, 9 insertions(+), 1 deletion(-) > > > > > > diff --git a/bin/ebuild.sh b/bin/ebuild.sh > > > index c23561651..94a44d534 100755 > > > --- a/bin/ebuild.sh > > > +++ b/bin/ebuild.sh > > > @@ -80,8 +80,12 @@ else > > > done > > > unset funcs x > > > > > > + # prevent the shell from finding external executables > > > + # note: we can't use empty because it implies current directory > > > + _PORTAGE_ORIG_PATH=${PATH} > > > + export PATH=/dev/null > > > command_not_found_handle() { > > > - die "Command not found while sourcing ebuild: ${*}" > > > + die "External commands disallowed while sourcing ebuild: > > > > ${*}" > > > } > > > fi > > > > > > diff --git a/bin/isolated-functions.sh b/bin/isolated-functions.sh > > > index e320f7132..b28e44f18 100644 > > > --- a/bin/isolated-functions.sh > > > +++ b/bin/isolated-functions.sh > > > @@ -121,6 +121,10 @@ __helpers_die() { > > > } > > > > > > die() { > > > + # restore PATH since die calls basename & sed > > > + # TODO: make it pure bash > > > + [[ -n ${_PORTAGE_ORIG_PATH} ]] && PATH=${_PORTAGE_ORIG_PATH} > > > + > > > set +x # tracing only produces useless noise here > > > local IFS=$' \t\n' > > > > > > > > > -- > > Best regards, > > Michał Górny (by phone) > > > > -- Best regards, Michał Górny