On Tue, May 14, 2013 at 9:25 AM, Mac Innes, Kiall <ki...@hp.com> wrote:
> On 14/05/13 12:02, Stanislav Pugachev wrote: > Hi, > I've added a blueprint > https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries > Please, take a look and let's discuss it if it makes sense. > Thank you > Stas. > > > Am I correct in thinking that, if the attacker is able to modify $PATH in > the environment under which nova etc runs, you've already lost? > Yep. > I would argue this is at worst a packaging bug, assuming packagers are not > explicitly defining the $PATH variable as part of the init scripts. > That and the PATH that any user with the rights to run nova services and commands -- the general best practice is to make sure that all the entries in $PATH are absolute paths, and that nothing in $PATH is world-writable. > P.S. the openstack-dev mailing list is generally where blueprint > discussion happens :) > > Thanks, > Kiall > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp