<div dir="ltr">If an attacker can put a binary in /usr/local/bin, they already have root and we are doomed anyways.  If you are still worried about it, reorder PATH so that /usr/local/whatever comes last instead of first.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, May 14, 2013 at 10:38 AM, Vasiliy Khomenko <span dir="ltr"><<a href="mailto:vkhomenko@griddynamics.com" target="_blank">vkhomenko@griddynamics.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Attacker can put binary in /usr/local/bin for example. on ubuntu that path located before /usr/bin.<div>
We could create some templates with absolute paths to binaries for each distro (deb-based, rhel-based) and auto-detect them.</div>
<div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="im">On Tue, May 14, 2013 at 3:36 PM, Victor Lowther <span dir="ltr"><<a href="mailto:victor.lowther@gmail.com" target="_blank">victor.lowther@gmail.com</a>></span> wrote:<br>

</div><div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Err, sounds like a lot of work to make the code more fragile.  If you want to be paranoid about launching the right command, do it by sanity-checking $PATH, not by hardcoding the path of all the executables you call.</div>


<div class="gmail_extra"><br><br><div class="gmail_quote"><div><div>On Tue, May 14, 2013 at 5:56 AM, Stanislav Pugachev <span dir="ltr"><<a href="mailto:spugachev@griddynamics.com" target="_blank">spugachev@griddynamics.com</a>></span> wrote:<br>


</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Hi, <br>I've added a blueprint <a href="https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries" target="_blank">https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries</a><br>


Please, take a look and let's discuss it if it makes sense.<br>
Thank you<br>Stas.<br><br><br>
<br></div></div>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to     : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help   : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to     : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help   : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div></div></div><br></div>
</blockquote></div><br></div>