On Sun, Jan 13, 2013 at 07:12:23PM +0100, Marc Espie wrote: > On Sun, Jan 13, 2013 at 11:04:08AM -0600, Maximo Pech wrote: > > At work, we have an "information security" area for IT. > > > > They mandate that on all shell scripts we have to use absolute paths for > > every single command. > > > > I feel that this does not provide real security and only makes scripts > > somewhat more painful to write. > > > > What's your opinion on this? > > That does provide ways less security than setting the PATH to a system-only > path at the beginning of your script. Looks like you've got an > intermediate-level shell programmer thinking he knows everything about > security. (okay, that was mean). > > Sure, you invoke programs with an absolute path, but have you checked that > those programs don't invoke other programs with execvp ? > > LOCALE and LANG also come to mind... > so does LD_PRELOAD and LD_LIBRARY_PATH just for starters.
Oh, and there's also the fact that hardcoding paths makes any shell-script WAYS less portable, as the exact paths vary from Unix variant to Unix variant. Why should I have to know whether I'm using /bin/true /usr/bin/true or builtin true ? There are already enough gratuitous incompatibilities between Unix variations.
