On Wed, Apr 1, 2020 at 3:58 PM Lukas Czerner <lczerner(a)redhat.com> wrote:
On Wed, Apr 01, 2020 at 11:26:04AM -0700, Samuel Sieb wrote:
> On 4/1/20 4:27 AM, Lukas Czerner wrote:
> > I've noticed some failures in automated tests in bodhi, specifically
> > this one:
> >
> > {
> > "arch" : "x86_64",
> > "code" : "SuspiciousPath",
> > "context" : {
> > "excerpt" : [
> >
"PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
> > ],
> > "path" : "/usr/sbin/e2scrub"
> > },
> > "diag" : "Potentially insecure PATH element
<tt>/local</tt>",
> > "subpackage" : "e2scrub"
> > },
> >
> > I am not sure why it's considered insecure while on all of the Fedora
> > and RHEL systems I have available "/usr/local/sbin:/usr/local/bin" is
a
> > default part of the PATH.
>
> You don't want a system script to be looking for executables in /usr/local
> before the regular bin directories. And it's probably better that it
> doesn't look in /usr/local at all.
> It's fine for the admin to put extra things in /usr/local, but those paths
> don't override the system ones.
Thanks, that's understandable, but then why the PATH on my system is
/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
or
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
all the systems I try include /usr/local in the PATH.
We don't want anything installed via RPM to be using /usr/local
directly. The /usr/local path is intended for locally-installed
content by the administrator, while /usr is meant for content coming
from the distributor.
For example, I maintain the `npm` package. It installs its binary as
/usr/bin/npm. However, if I use npm (it's a Node.js package manager)
to install a Node-based binary with `npm -g install someapp`, it will
install it in /usr/local rather than /usr. This is done in part to
avoid future conflicts where RPM might try to overwrite
locally-installed content or where a tool like `npm` is overwriting
RPM-managed content (which it was doing until fairly recently...)