Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!lll-winken!elroy.jpl.nasa.gov!sdd.hp.com!hplabs!pyramid!chetal From: chetal@pyrps5.pyramid.com (Pradeep Chetal) Newsgroups: comp.lang.perl Subject: Re: I get "Insecure PATH" when I run commands from emacs... Message-ID: Date: 17 Jun 91 16:46:23 GMT References: <1991Jun16.212315.4751@convex.com> <1991Jun17.011615.13952@convex.com> Sender: news@pyramid.pyramid.com Distribution: comp.lang.perl Organization: Pyramid Technology Corp., Mtn View, Calif. Lines: 31 In-reply-to: tchrist@convex.COM's message of 17 Jun 91 01:16:15 GMT In article <1991Jun17.011615.13952@convex.com> tchrist@convex.COM (Tom Christiansen) writes: From the keyboard of chetal@pyrps5.pyramid.com (Pradeep Chetal): :It is a setgid emacs running on the system. :It also shows the egid when I run the "id" script :via "emacs" as a Shell command. Since I do NOT have :any control over the emacs, can I change the programming style so that :I do NOT get the "Insecure PATH" problem. OR I should avoid such :programming practice. I smell a security hole. emacs should not run sgid, and if it really must, it should do a setgid(getgid()) before and fork/execs. If you're going to make a special group for protection, why let anyone who wants to run in it whenever they wish? Looking at the "shell-command" in emacs, it just does a shell "-c" command so it does NOT do any set[ud]id(get[ug]id()). I will talk to the admin here. Thanks for your help, /Pradeep -- ------------------------------------------------------------------------------ Pradeep Chetal UUCP: ...!{decwrl,sun,uunet}!pyramid!chetal M/S 24 Internet: chetal@pyramid.com Pyramid Technology Phone: (415) 335-8227 (O) 1295 Charleston Road (415) 961-9789 (H) Mountain View, CA 94043 (415) 335-8845 (FAX)