On 15/06/16 18:45 +0200, Klaus Wenninger wrote: > On 06/15/2016 06:11 PM, Ferenc Wágner wrote: >> Did you think about filtering the environment variables passed to the >> alert scripts? NOTIFY_SOCKET probably shouldn't be present, and PATH >> probably shouldn't contain sbin directories; I guess all these are >> inherited from systemd in my case. > > It is just what crmd comes along with ... but interesting point ...
... and having Shellshock vulnerability in mind, also a little bit worring (yes, even nowadays). (that being said, I've already presented my subversive opinion that shell introduces more headaches than reasonable, as using it may be most natural and with almost no barriers to entry, but it's actually quite hard to make scripts bullet-proof; say chances the script will be derailed just with a space-contained [not talking about quotes] parameter are quite high: http://clusterlabs.org/pipermail/users/2015-May/000403.html) -- Jan (Poki)
pgpjRoiHqKzCJ.pgp
Description: PGP signature
_______________________________________________ Users mailing list: [email protected] http://clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
