#!/usr/bin/python or #!/usr/bin/env python?
olsongt at verizon.net
olsongt at verizon.net
Wed Aug 9 19:10:16 EDT 2006
Erik Max Francis wrote:
> olsongt at verizon.net wrote:
>
> > Basically, someone could inject an arbirtrary script called 'python'
> > into your path that does whatever (rm -fr /) under your user context
> > when you run the script. But the same thing would happen if you run
> > 'python test.py' instead of '/usr/local/bin/python test.py' to run a
> > script that doesn't have a she-bang or hasn't been flagged as
> > executable. Some admins will use a fully-qualified path for every
> > command to guard against this; I think that can be overkill.
>
> The primary guard for this is not having publicly-writable things in
> your PATH. In other words, this is the argument for not putting things
> like /tmp or . (because you might cd to somewhere publicly writable like
> /tmp) in your PATH, not really for avoiding /usr/bin/env in hash bangs.
>
Yeah, I agree 100%. I guess the best way to put it is that if random
people are creating scripts called 'python' in your path, you've got
bigger problems than /usr/bin/env calling the wrong program or a plain
old 'python test.py' doing the same.
More information about the Python-list
mailing list