Re: % in $PATH

[Guido Berhoerster <gber@opensuse.org>]

* Stephane Chazelas <stephane.chazelas@gmail.com> [2014-11-10 23:23]:
> 2014-11-10 22:59:38 +0100, Guido Berhoerster:
> [...]
> > A much nicer solution would be to do something similar to the
> > original Korn shell and assign additional builtins a virtual
> > path which can be freely assigned in PATH and with which they can
> > be explicitly called. No more "%" in PATH and the feature can
> > be retained.
> [...]
> 
> Sounds to me like it's what dash does. It has %builtin (or
> /%builtin) where ksh93 has /opt/ast/bin.

That's kind of the point, this thread started about the trouble
that the "%" causes, using a virtual path like /usr/libexec/dash
or so instead should avoid the issue. That leaves the /path%func
case but there is precendence with FPATH as a solution if "%" is
to be completely eliminated from PATH.

> With ksh93, that's only for a few extra builtins that are only
> enabled if you add /opt/ast/bin to $PATH (or you can call them
> with "command /opt/ast/bin/cat").
> 
> I wouldn't say it's much better, it's still bad as being the
> hijacking of one namespace for something else.
> 
> dash's %builtin (as opposed to /path/to/functions%func) is
> potentially dangerous though because if you have that in your
> $PATH, you're vulnerable to attackers planting %builtin
> directories (in /tmp for instance) which will be considered by
> other things than dash/ash when looking up $PATH.
> 
> That's worked around by using /%builtin instead of %builtin
> though.
> 
> -- 
> Stephane
> --
> To unsubscribe from this list: send the line "unsubscribe dash" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Guido Berhoerster