From: dann frazier; Sent: Friday, January 16, 2004 8:35 AM > > my worry now becomes one of security - if somehow root's path is set > with a NULL component, and root decides to run a SIm command from /tmp, > then there's potential for a local (in some cases a remote) user to > get some code executed as root. If we are setting $PATH, and screw up by > leaving a NULL component, I would consider this a security hole in SIS.
If root's PATH includes either an explicit or implicit CWD, then that needs to be honored, just as the shell will. > If we're just using the already-set $PATH, then I probably wouldn't > consider it > a hole in SIS - rather, it'd be a mistake on the admin's part. Well, you haven't created a problem that didn't already exist. Actually, prepareclient explicitly sets PATH, as any good trusted program should. > I'm on the fence here - anyone else have an opinion? > Sean - I think you originally introduced this into SIS - did you > intentionally > exclude this property of which, or were you oblivious about it as I was? At this point, I'm just trying to get correct code. -- dnl My comments represent my opinions, not those of Intel Corporation. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Sisuite-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/sisuite-devel
