cvs commit: src/etc rc.subr

[Brooks Davis]

On Sun, Dec 31, 2006 at 11:04:11AM -0600, Mike Pritchard wrote:
> On Sun, Dec 31, 2006 at 11:07:29AM +0000, Yar Tikhiy wrote:
> > yar         2006-12-31 11:07:29 UTC
> > 
> >   FreeBSD src repository
> > 
> >   Modified files:
> >     etc                  rc.subr 
> >   Log:
> >   Allow for /usr/bin/env when parsing the shebang line from an
> >   interpreted $command.  Some "portable" sofware packages use such a
> >   line to skip the task of figuring out the absolute pathname of the
> >   interpreter at install time, e.g.:
> >   
> >           #!/usr/bin/env python
> >   
> >   It is insecure, but a popular book on Python seems to have advised
> >   it to a wide audience.  Hence a number of such scripts in the ports,
> >   mostly written in Python.
> 
> If its insecure, than why allow it?  If the ports need a patch to make it
> secure, then they should be patched.  
> 
> I don't like seeing something from rc.subr with a comment about it
> being less secure....

It's only a security problem in the case of an insecure path.  This
isn't generally the case for rc.d's execution context.  It's only
a security issue of administrators are stupid enough to place
untrustworthy directories such as "." in root's path.

-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20070102/b0d3f837/attachment.pgp