[External] : Re: Shell files in `/bin` can be made executable
mark.reinhold at oracle.com
mark.reinhold at oracle.com
Wed Nov 24 17:34:13 UTC 2021
2021/11/24 5:08:05 -0800, magnus.ihse.bursie at oracle.com:
> On 2021-11-23 16:43, Kevin Rushforth wrote:
>> I sent my reply before I saw Magnus', so I was commenting on the
>> "what" and not the "why".
>>
>> I'm sure others with more standing in the JDK project will chime in,
>> but two reasons that come to mind are:
>>
>> 1. Allowing scripts that are executable could lead to unexpected
>> results if the current directory is in the PATH ahead of some place
>> you expect to get that command.
>
> You mean if the user has configured his/her environment to have like
> PATH=.:/bin:/usr/bin:..? That is a horrible, horrible security
> misconfiguration, that will introduce security issues all the time, not
> only for OpenJDK. I don't think we can or should try to protect against
> this particular case of bad user configuration.
Yes, that is a horrible, horrible security misconfiguration, but it is
all too common out in the wild.
We have never allowed executable files for this reason and, also, to
help prevent executable binary files from being checked in. The latter
are not only another potential attack vector but also a maintenance
nightmare.
- Mark
More information about the jdk-dev
mailing list