On Oct 15, 2008, at 2:02 AM, David Schmitt wrote:
>
> Luke Kanies schrieb:
>> On Oct 14, 2008, at 9:26 AM, Sean E. Millichamp wrote:
>>
>>> - Puppet.debug "Running chcon #{flag} #{value} #{file}"
>>> - retval = system("chcon #{flag} #{value} #{file}")
>>> + Puppet.debug "Running chcon -h #{flag} #{value} #{file}"
>>> + retval = system("chcon -h #{flag} #{value} #{file}")
>>
>>
>> I know I should have mentioned this ages ago, but in general I prefer
>> fully-qualified binaries when possible. I know this is meant to run
>> as root anyway, but path attacks are still out there.
>>
>
> Shouldn't path-attacks be averted by defining a puppet-local path
> instead of hardcoding the path to a binary?
Hmm, I was thinking of cases where people could add items to a
legitmate path, but I guess you're right -- one normally only worries
about people's ability to modify user-writable paths.
I guess I can't come up with a good reason to want fully qualified
binaries, but I apparently do. :/
--
I think that all good, right thinking people in this country are sick
and tired of being told that all good, right thinking people in this
country are fed up with being told that all good, right thinking people
in this country are fed up with being sick and tired. I'm certainly
not, and I'm sick and tired of being told that I am.
-- Monty Python
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
