On Mon, Nov 28, 2005 at 04:30:25PM +0100, Said Outgajjouft wrote:
> >$ENV{'PATH'} = "/sbin:/bin:/usr/sbin:/usr/bin";
> >
> >and that is where pwd_mkdb will be found.
> >
> >
> Hmm that doesn't answer my question.
> The answer I am looking for could be one of the following.
>
> 1. The PATH environment is local to the process and cannot be tampered with.
>
> 2. The PATH environment is global but if someone can tampered with it
> you are screwed
> anyway so it doesn't matter that the pwd_mkdb is called using a
> relative path.
>
> 3. The PATH environment however very slim can be tempered with so
> adduser instead calls
> /evilfiles/pwd_mkdb then adding an absolute path sounds like
> something that should be done.
$ENV is inherited from the parent process, but $ENV{'PATH'} is set
explicitly inside the script, so it will have the desired value
mentioned above.
Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
