On Mon, Jan 14, 2013 at 1:14 AM, Jeremie Le Hen <jere...@le-hen.org> wrote: > On Sun, Jan 13, 2013 at 07:12:23PM +0100, Marc Espie wrote: >> On Sun, Jan 13, 2013 at 11:04:08AM -0600, Maximo Pech wrote: >> > >> > They mandate that on all shell scripts we have to use absolute paths for >> > every single command. >> >> That does provide ways less security than setting the PATH to a system-only >> path at the beginning of your script. > > Can you elaborate on this? From a security point of view only, this > looks to me as a draw. If you consider the portability issues then > sure, setting PATH is better.
You cut out his next paragraph which gives an example of why: >> Sure, you invoke programs with an absolute path, but have you checked that >> those programs don't invoke other programs with execvp ? Hard coding depends on you to actually hard code EVERYWHERE, including in paths and commands passed to *other* commands executed from the script that you write. If you screw up and miss one, you lose. Set PATH and you can't miss one. Philip Guenther
