------- Comment From [email protected] 2018-11-20 02:56 EDT------- We set the PATH before calling system() to execute the generated program for security reasons. That way a user can not manipulate the PATH environment variable and that way cause a different executable to be used. By setting the path we restrict the search path to the well known executable locations. Remember zkey may run as root or somewhat privileged so that it can execute "cryptsetup luksFormat" or similar.
There is also a similar note in the man page for system(): "Do not use system() from a privileged program (a set-user-ID or set-group-ID program, or a program with capabilities) because strange values for some environment variables might be used to subvert system integrity. For example, PATH could be manipulated so that an arbitrary program is executed with privilege. Use the exec(3) family of functions instead, but not execlp(3) or execvp(3) (which also use the PATH environment variable to search for an executable). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803958 Title: [UBUNTU] zkey: Fails to run commands generated by 'zkey cryptsetup' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1803958/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
