On 09/12/2014 04:50 PM, Christian Franke wrote:
> Andrey Repin wrote:
>>> Hmm... is postfix actually broken?
>>> Unsetting PATH is IMO sane (from the POSIX POV) if all exec() calls use
>>> absolute path names.
>> If all exec() calls are made with full paths, unsetting $PATH does not
>> improve
>> security in any way,
> 
> Of course. But postfix could be configured to run "unknown" external
> programs through its various daemons. In this case, a fixed (here:
> empty) PATH improves security. If not convinced, please discuss with the
> author of postfix :-)

An empty PATH leaves it up to the implementation what helpers get run
(if it doesn't fall over first), which is LESS secure than a guaranteed
safe PATH of confstr(_CS_PATH).

> 
> 
>> but leave underlying system in an inconsistent state.
> 
> I don't see any added inconsistencies, please explain.

The moment you throw away the bare minimum POSIX-required PATH, you have
introduced inconsistency into the environment you are handing to your
child process.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org