On 09/12/2014 05:03 PM, Eric Blake wrote:
> On 09/12/2014 04:50 PM, Christian Franke wrote:
>> Andrey Repin wrote:
>>>> Hmm... is postfix actually broken?
>>>> Unsetting PATH is IMO sane (from the POSIX POV) if all exec() calls use
>>>> absolute path names.
>>> If all exec() calls are made with full paths, unsetting $PATH does not
>>> improve
>>> security in any way,
>>
>> Of course. But postfix could be configured to run "unknown" external
>> programs through its various daemons. In this case, a fixed (here:
>> empty) PATH improves security. If not convinced, please discuss with the
>> author of postfix :-)
> 
> An empty PATH leaves it up to the implementation what helpers get run
> (if it doesn't fall over first), which is LESS secure than a guaranteed
> safe PATH of confstr(_CS_PATH).

By the way, passing a _safe_ PATH to your child process IS a good idea
for security-conscious programs, but you have to do it correctly (by
passing an actual safe path, and NOT by completely unsetting PATH).

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org