#!/usr/bin/python or #!/usr/bin/env python?
Erik Max Francis
max at alcyone.com
Wed Aug 9 16:54:06 EDT 2006
olsongt at verizon.net wrote:
> Basically, someone could inject an arbirtrary script called 'python'
> into your path that does whatever (rm -fr /) under your user context
> when you run the script. But the same thing would happen if you run
> 'python test.py' instead of '/usr/local/bin/python test.py' to run a
> script that doesn't have a she-bang or hasn't been flagged as
> executable. Some admins will use a fully-qualified path for every
> command to guard against this; I think that can be overkill.
The primary guard for this is not having publicly-writable things in
your PATH. In other words, this is the argument for not putting things
like /tmp or . (because you might cd to somewhere publicly writable like
/tmp) in your PATH, not really for avoiding /usr/bin/env in hash bangs.
--
Erik Max Francis && max at alcyone.com && http://www.alcyone.com/max/
San Jose, CA, USA && 37 20 N 121 53 W && AIM erikmaxfrancis
We must all hang together, or, most assuredly, we will all hang
separately. -- John Hancock
More information about the Python-list
mailing list