From: Wayne Morrison <Wayne.Morrison@co...> - 2009-10-29 16:16:19
Several of the DNSSEC-Tools scripts run other programs as part of their
execution. As the tools are currently written, the full paths to the other
programs must be specified in the config file.
However, the DNSSEC-Tools group has had some discussion about this recently.
The possibility has been mentioned of changing the tools' behavior such that
the path is no longer required. If the programs were specified just by name,
then the first instance in the user's path would be executed. This would
allow for greater flexibility and for possibly making DNSSEC-Tools tool usage
easier when BIND, etc., are upgraded. Specifying the absolute path would
continue to run that specific program.
The flexibility given by this is countered by the received wisdom of the
insecurity of path variables. This holds that it is unsafe to rely on a
user's path variable, since path ordering is critical and may place
potentially unsafe directories before system directories in the search order.
As users of the DNSSEC-Tools scripts, what are your thoughts? Do you want the
flexibility of using the user's path? Do you think the potential insecurity
of relying on a user's path is overrated?
To get an idea of the choice we should have as a default, which of these
would you use:
1) specified absolute paths
2) user path-based invocations
Thanks for your help!
SPARTA National Security Sector
Cobham Analytic Solutions
Get latest updates about Open Source Projects, Conferences and News.