Re: Why is "local" insecure PATH element ?

On Wed, Apr 01, 2020 at 11:26:04AM -0700, Samuel Sieb wrote: > On 4/1/20 4:27 AM, Lukas Czerner wrote: > > I've noticed some failures in automated tests in bodhi, specifically > > this one: > > > > { > > "arch" : "x86_64", > > "code" : "SuspiciousPath", > > "context" : { > > "excerpt" : [ > > "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" > > ], > > "path" : "/usr/sbin/e2scrub" > > }, > > "diag" : "Potentially insecure PATH element <tt>/local</tt>", > > "subpackage" : "e2scrub" > > }, > > > > I am not sure why it's considered insecure while on all of the Fedora > > and RHEL systems I have available "/usr/local/sbin:/usr/local/bin" is a > > default part of the PATH. > > You don't want a system script to be looking for executables in /usr/local > before the regular bin directories. And it's probably better that it > doesn't look in /usr/local at all. > It's fine for the admin to put extra things in /usr/local, but those paths > don't override the system ones. Thanks, that's understandable, but then why the PATH on my system is /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin or /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin all the systems I try include /usr/local in the PATH.