[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The load path
|
From: |
Rob Browning |
|
Subject: |
Re: The load path |
|
Date: |
Sun, 17 Oct 2004 14:40:29 -0500 |
|
User-agent: |
Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux) |
Andy Wingo <address@hidden> writes:
> First off, the load path for a guile in /usr/bin/guile doesn't
> include /usr/local. I was discussing this with Rob today on IRC, and
> we agreed that /usr/local should be added onto the load path for a
> guile in /usr, so that local packages can be used without hacking
> LOAD_PATH.
I agree that it's probably a good idea, though I was a little
concerned about putting things in /usr/local in root's default path.
However, my concern may have been based on an incorrect assumption. I
had thought that on many systems root's PATH did not include
directories in /usr/local/bin by default because on those systems
/usr/local was group staff, and membership in staff was not supposed
to be equivalent to root (security-wise). If this is not a common
presumption, then my concern is irrelevant.
> Secondly, guile's load path includes ".". This is unexpected. The set of
> includes should not depend on the working directory of the user. Also,
> as in the case of $PATH and $LD_LIBRARY_PATH, this exposes a security
> risk. The only time I can imagine this as being useful is within a
> source tree, when you control the environment anyway.
Yes. It's risky for all the same reasons that having . in your PATH
is. The risk is a little less than it otherwise might be, since . is
at the end, but it's still a risk.
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4