[CDBUG-talk] Sysadmin blog
Patrick Muldoon
doon at labratsoftware.com
Sun Nov 16 23:04:05 EST 2014
> On Nov 16, 2014, at 10:49 PM, Jaime <jaime at snowmoon.com> wrote:
>
> On Sun, Nov 16, 2014 at 10:24 PM, Brian Callahan <bcallah at devio.us <mailto:bcallah at devio.us>> wrote:
>>> 1) Isn't the shebang that you suggested still hardcoded? When the
>>> script is taken to a new OS, wouldn't there still be a risk of it
>>> breaking? Has env just been in Unix for so long that its always in
>>> /usr/bin?
>>
>> You're right: env is not guaranteed to be in /usr/bin but it is the
>> historical location of env, so it will work on Linuxes and BSDs (and afaik,
>> Solaris/AIX/HP-UX). Pretty much it's an anomaly if env isn't in /usr/bin and
>> it's also extremely likely bash, if available, wouldn't be in /bin on such a
>> system anyway!
>
> Gotcha. So the path of env is more consistent across different OSs
> than bash's is. Therefore, its just more likely to work without
> modification due to this "accident" of history. Do I understand?
>
I’ve not run into anything recent that doesn’t have env in /usr/bin
but I have plenty of stuff that doesn’t have bash there :) (for systems that I have bash installed that I might actually want to run, it would be /usr/local/bin/ and this would include my mac as I don’t use the OSX provided version of it or zsh —my preferred shell for interactive use).
>
>> Because env searches your PATH, you could install a newer/custom bash
>> (remember shellshock?) elsewhere and have your scripts use that new bash
>> without editing the script (provided your PATH is set up to hit the new bash
>> first).
>
> Its funny that you bring up shellshock. I was just wondering if using
> env would increase the likelihood of running a malicious program that
> happened to be called "bash" if a user managed to put it into my $PATH
> somehow.
>
If you don’t trust your path, you’re pretty much screwed regardless :)
But this is also part of the argument (and newbie tripper upper) against having CWD in your path. So you cannot be tricked into running something that you didn’t expect to run.
-Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/cdbug-talk/attachments/20141116/d4983d36/attachment-0001.html>
More information about the CDBUG-talk
mailing list