[CDBUG-talk] Sysadmin blog

Brian Callahan bcallah at devio.us
Sun Nov 16 23:10:00 EST 2014


On 11/16/14 23:04, Patrick Muldoon wrote:
>> On Nov 16, 2014, at 10:49 PM, Jaime <jaime at snowmoon.com 
>> <mailto:jaime at snowmoon.com>> wrote:
>>
>> On Sun, Nov 16, 2014 at 10:24 PM, Brian Callahan <bcallah at devio.us 
>> <mailto:bcallah at devio.us>> wrote:
>>>> 1)  Isn't the shebang that you suggested still hardcoded?  When the
>>>> script is taken to a new OS, wouldn't there still be a risk of it
>>>> breaking?  Has env just been in Unix for so long that its always in
>>>> /usr/bin?
>>>
>>> You're right: env is not guaranteed to be in /usr/bin but it is the
>>> historical location of env, so it will work on Linuxes and BSDs (and 
>>> afaik,
>>> Solaris/AIX/HP-UX). Pretty much it's an anomaly if env isn't in 
>>> /usr/bin and
>>> it's also extremely likely bash, if available, wouldn't be in /bin 
>>> on such a
>>> system anyway!
>>
>> Gotcha.  So the path of env is more consistent across different OSs
>> than bash's is.  Therefore, its just more likely to work without
>> modification due to this "accident" of history.  Do I understand?
>>
>
> I’ve not run into anything recent that doesn’t have env in /usr/bin
>
> but I have plenty of stuff that doesn’t have bash there :) (for 
> systems that I have bash installed that I might actually want to run, 
> it would be /usr/local/bin/  and this would include my mac as I don’t 
> use the OSX provided version of it or zsh —my preferred shell for 
> interactive use).
>>
>>> Because env searches your PATH, you could install a newer/custom bash
>>> (remember shellshock?) elsewhere and have your scripts use that new bash
>>> without editing the script (provided your PATH is set up to hit the 
>>> new bash
>>> first).
>>
>> Its funny that you bring up shellshock.  I was just wondering if using
>> env would increase the likelihood of running a malicious program that
>> happened to be called "bash" if a user managed to put it into my $PATH
>> somehow.
>>
>
> If you don’t trust your path, you’re pretty much screwed regardless  :)
>
> But this is also part of the argument (and newbie tripper upper) 
> against having CWD in your path.  So you cannot be tricked into 
> running something that you didn’t expect to run.
>
>

I recently had a conversation with someone whose .profile read 
PATH=.:$HOME/bin:/bin:(etc...)
The initial . threw me for a loop at first.

~Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/cdbug-talk/attachments/20141116/00f04e75/attachment.html>


More information about the CDBUG-talk mailing list