<div dir="ltr"><div dir="ltr">Den tis 16 juli 2019 kl 19:34 skrev Jordan Glover <<a href="mailto:Golden_Miller83@protonmail.ch">Golden_Miller83@protonmail.ch</a>>:</div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> While /usr/bin/env is more or less available on all POSIX systems<br>
> /bin/bash might not be. This is particular the case on NixOS and the BSD<br>
> family (/usr/local/bin/bash). Downstream packagers would often rewrite<br>
> those shebangs back automatically as they can rely on absolute paths<br>
> but having portable shebangs in the repository helps to run the code<br>
> without any further modification.<br>
><br>
<br>
The reason almost everyone hardcodes bash to /bin/bash is the potential<br>
environment attack where someone create malicious "bash" and export it in PATH:<br>
<br>
<a href="https://developer.apple.com/library/archive/documentation/OpenSource/Conceptual/ShellScripting/ShellScriptSecurity/ShellScriptSecurity.html" rel="noreferrer" target="_blank">https://developer.apple.com/library/archive/documentation/OpenSource/Conceptual/ShellScripting/ShellScriptSecurity/ShellScriptSecurity.html</a></blockquote><div><br></div><div>Well, if they rewrite your env and PATH you can't trust anything you do on that box ever. If wg is started with a malicious environment where IFS is set to "/" so that</div><div>"/bin/bash" (or any absolute-path-named-program) turns into " bin bash" then an evil PATH pointing to that "bin" would still start a bad script for you.</div><div><br></div><div><a href="https://books.google.se/books?id=-aIKj0lbADIC&pg=PT182&lpg=PT182&dq=set+IFS+to+slash&source=bl&ots=cNQdBQUJEv&sig=ACfU3U0apkUJWhJRjnJMgKlRBFBPD5nZ6g&hl=en&sa=X&ved=2ahUKEwiP0Ka8nrrjAhVOwsQBHZOtC08Q6AEwBHoECAgQAQ#v=onepage&q=set%20IFS%20to%20slash&f=false">https://books.google.se/books?id=-aIKj0lbADIC&pg=PT182&lpg=PT182&dq=set+IFS+to+slash&source=bl&ots=cNQdBQUJEv&sig=ACfU3U0apkUJWhJRjnJMgKlRBFBPD5nZ6g&hl=en&sa=X&ved=2ahUKEwiP0Ka8nrrjAhVOwsQBHZOtC08Q6AEwBHoECAgQAQ#v=onepage&q=set%20IFS%20to%20slash&f=false</a><br></div><div><br></div><div><br></div></div>-- <br><div dir="ltr" class="gmail_signature">May the most significant bit of your life be positive.<br></div></div>