Re: Why is "local" insecure PATH element ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/1/20 4:27 AM, Lukas Czerner wrote:
I've noticed some failures in automated tests in bodhi, specifically
this one:

     {
        "arch" : "x86_64",
        "code" : "SuspiciousPath",
        "context" : {
	  "excerpt" : [
	     "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
	  ],
	  "path" : "/usr/sbin/e2scrub"
        },
        "diag" : "Potentially insecure PATH element <tt>/local</tt>",
        "subpackage" : "e2scrub"
     },

I am not sure why it's considered insecure while on all of the Fedora
and RHEL systems I have available "/usr/local/sbin:/usr/local/bin" is a
default part of the PATH.

You don't want a system script to be looking for executables in /usr/local before the regular bin directories. And it's probably better that it doesn't look in /usr/local at all. It's fine for the admin to put extra things in /usr/local, but those paths don't override the system ones.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux