On Fri, 15 Jun 2018 at 23:21, Björn Persson <Bjorn@rombobjörn.se> wrote:
[..]
> Don't forget that if your proof of concept can be modified to either
> overwrite or append to ~/.bashrc, then it's irrelevant to this debate.
Is it really so hard to execute "strace -trace=openat,stat bash -l" to
spot that before ~/.bashrc is executed many other scripts executions
already is finished or if someone don't know how to use strace just
read bash(1) man page?
Part of such example strace output:
openat(AT_FDCWD, "/etc/profile", O_RDONLY) = 3
[..]
openat(AT_FDCWD, "/etc/bashrc", O_RDONLY) = 3
openat(AT_FDCWD, "/home/tkloczko/.bash_profile", O_RDONLY) = 3
stat("/home/tkloczko/.bashrc", {st_mode=S_IFREG|0644, st_size=192, ...}) = 0
Quote from bash(1):
"When bash is invoked as an interactive login shell, or as a
non-interactive shell with the --login option, _it first reads and
executes commands from the file /etc/profile_, if that file exists.
After reading that file, it looks for ~/.bash_profile, ~/.bash_login,
and ~/.profile, in that order, and reads and executes commands from
the first one that exists and is readable. The --noprofile option may
be used when the shell is started to inhibit this behavior."
Whatever you want to do over you account session or profile scripts it
is already _to late_.
Is that clear now?
If you have no time to at least try-by-experiment to disprove what
already have been written in this thread just please stop posting
commentS because you giving clear signal that you are not even trying
to understand the subject.
Is it really so hard to use strace command to trace what really is
done during shell session initialization with current fedora default
settings?
If doing such test is out of all Fedora Committees members TECHNICAL
skills discussing this subject here is really pointless.
My understanding is that Fedora already identified REAL risk of using
env command because currently used Fedora rpm packages build framework
automatically removed using env in all scripts before generate
packages. In other words level of this risk is KNOWN and enough well
understood by engineers taking care of security aspects of Fedora
packages.
So here is the "news" if it is still not obvious: risk factor of using
env is MAINLY because current $PATH.
And one more time: can someone please point on technical justification
of putting /usr/local based pathsh on front of the $PATH?
I'm 100% sure that Fedora Comeeties members (current or past) should
know where such justification is documented (?)
If there is no such justification according to lex parsimoniae (or
better known as Ockham Razor) this should cause instant action remove
use those paths in OOTB settings.
kloczek
--
Tomasz Kłoczko | LinkedIn: http://lnkd.in/FXPWxH
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/4QHXI2I25RJ46KO4LERWUQBW6HI52J6V/
