Agree. Hardcoding full pathnames is a bad practice in general. On 5/14/13 11:50 AM, "Kevin L. Mitchell" <kevin.mitchell at rackspace.com> wrote: >On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote: >> Attacker can put binary in /usr/local/bin for example. on ubuntu that >> path located before /usr/bin. > >If the attacker has write access to /usr/local/bin, it's already game >over; I don't see what we can do to nova that can mitigate something >that disastrous. > >-- >Kevin L. Mitchell <kevin.mitchell at rackspace.com> > > >_______________________________________________ >Mailing list: https://launchpad.net/~openstack >Post to : openstack at lists.launchpad.net >Unsubscribe : https://launchpad.net/~openstack >More help : https://help.launchpad.net/ListHelp