#!/usr/bin/python or #!/usr/bin/env python?
olsongt at verizon.net
olsongt at verizon.net
Wed Aug 9 16:22:56 EDT 2006
Aahz wrote:
> In article <fj5Cg.2658$No6.51984 at news.tufts.edu>,
> John Salerno <johnjsal at NOSPAMgmail.com> wrote:
> >
> >I understand the difference, but I'm just curious if anyone has any
> >strong feelings toward using one over the other? I was reading that a
> >disadvantage to the more general usage (i.e. env) is that it finds the
> >first python on the path, and that might not be the proper one to use. I
> >don't know if that's a real issue most of the time, but it's at least
> >something to consider.
>
> The main argument against the env method is that I've seen a fair number
> of sysadmins claim that it's less secure. I'm not competent to judget
> that claim myself, but I prefer to play safe and stay away from env.
> --
> Aahz (aahz at pythoncraft.com) <*> http://www.pythoncraft.com/
>
Basically, someone could inject an arbirtrary script called 'python'
into your path that does whatever (rm -fr /) under your user context
when you run the script. But the same thing would happen if you run
'python test.py' instead of '/usr/local/bin/python test.py' to run a
script that doesn't have a she-bang or hasn't been flagged as
executable. Some admins will use a fully-qualified path for every
command to guard against this; I think that can be overkill.
More information about the Python-list
mailing list