This is the mail archive of the
mailing list for the Cygwin project.
Re: Cannot exec() program outside of /bin if PATH is unset
- From: Christian Franke <Christian dot Franke at t-online dot de>
- To: cygwin at cygwin dot com
- Date: Sat, 13 Sep 2014 12:00:17 +0200
- Subject: Re: Cannot exec() program outside of /bin if PATH is unset
- Authentication-results: sourceware.org; auth=none
- References: <5413271B dot 1010109 at t-online dot de> <54134A83 dot 80107 at redhat dot com> <54135451 dot 3060902 at t-online dot de> <601154762 dot 20140913012935 at yandex dot ru> <541378C4 dot 6030705 at t-online dot de> <54137BDE dot 6040907 at redhat dot com> <54137C7F dot 1040507 at redhat dot com>
Eric Blake wrote:
On 09/12/2014 05:03 PM, Eric Blake wrote:
On 09/12/2014 04:50 PM, Christian Franke wrote:
Andrey Repin wrote:
Hmm... is postfix actually broken?
Unsetting PATH is IMO sane (from the POSIX POV) if all exec() calls use
absolute path names.
If all exec() calls are made with full paths, unsetting $PATH does not
security in any way,
Of course. But postfix could be configured to run "unknown" external
programs through its various daemons. In this case, a fixed (here:
empty) PATH improves security. If not convinced, please discuss with the
author of postfix :-)
An empty PATH leaves it up to the implementation what helpers get run
(if it doesn't fall over first), which is LESS secure than a guaranteed
safe PATH of confstr(_CS_PATH).
By the way, passing a _safe_ PATH to your child process IS a good idea
for security-conscious programs, but you have to do it correctly
Agree. The postfix spawn(8) and pipe(8) daemons actually spawn external
programs with PATH set to _PATH_DEFPATH.
(by passing an actual safe path, and NOT by completely unsetting PATH).
Disagree. The postfix master(8) spawns all of its daemons with PATH
unset. This IMO does not violate POSIX.
Note that setting PATH=/bin on Cygwin does not fix the security problem
in the DLL search order. Even with "SafeDllSearchMode" enabled, the
current directory is always checked before PATH. Running some Cygwin
program from /usr/sbin, /usr/local/bin, /usr/libexec, ... would load a
possible malicious cyg*.dll from current directory regardless of PATH
setting. Only programs in /bin are safe.
Using SetDllDirectory("c:\\cygwin\\bin") somewhere in cygwin1.dll would
fix this also.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple