Chet Ramey wrote: > Bob Proulx wrote: > > It seems okay to leave PATH alone to me. Why set it at all? > > > > I don't see the security issue that you are concerned about. Could > > you educate me? > > I suppose it's not a large security hole if $EDITOR is used, only > when bashbug chooses $DEFEDITOR.
Even then I don't see any security hole there. The PATH is already set when the script is invoked. It is the PATH the caller wishes to use, invoking the $EDITOR command the caller wishes to invoke. I see no privilege escalation there. > Frankly, though, it's a good idea to set PATH to have the standard > binary directories before any others when writing a shell script, > especially one that can be run by root. That's just good practice. I respectfully disagree. Strongly! :-) PATH is a configuration of the caller's environment. It isn't a good idea to change it just to override the caller's desired environment. Normal programs should not be changing it against the caller's wishes. (By normal in this case I mean programs that don't change the privilege level, meaning not 'su' or 'sudo' or so forth.) I think for the purposes of invoking $EDITOR that the caller's PATH should be respected. Bob
