Date: Fri, 5 Jan 2007 13:32:03 +0300 From: Yar Tikhiy <yar@comp.chem.msu.su> To: Mike Pritchard <mpp@mppsystems.com> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc rc.subr Message-ID: <20070105103203.GA68718@comp.chem.msu.su> In-Reply-To: <20061231170411.GA53408@mail.mppsystems.com> References: <200612311107.kBVB7TrP042343@repoman.freebsd.org> <20061231170411.GA53408@mail.mppsystems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 31, 2006 at 11:04:11AM -0600, Mike Pritchard wrote: > On Sun, Dec 31, 2006 at 11:07:29AM +0000, Yar Tikhiy wrote: > > yar 2006-12-31 11:07:29 UTC > > > > FreeBSD src repository > > > > Modified files: > > etc rc.subr > > Log: > > Allow for /usr/bin/env when parsing the shebang line from an > > interpreted $command. Some "portable" sofware packages use such a > > line to skip the task of figuring out the absolute pathname of the > > interpreter at install time, e.g.: > > > > #!/usr/bin/env python > > > > It is insecure, but a popular book on Python seems to have advised > > it to a wide audience. Hence a number of such scripts in the ports, > > mostly written in Python. > > If its insecure, than why allow it? If the ports need a patch to make it > secure, then they should be patched. > > I don't like seeing something from rc.subr with a comment about it > being less secure.... Then feel free to patch src/sys/kern/imgact_shell.c for it is the root of the evil, and face a torrent of complaints. OTOH rc.subr's _find_processes() deals with a different side of the issue that has no security implications because the insecure script is supposed to be already running. My commit message just explained why we have to pay attention to the case at all in rc.subr. It was my fault that I didn't realise some folks would be totally caught by the flypaper word "security." -- Yar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070105103203.GA68718>