Re: [PATCH] Remove absolute paths from gpg.rc
On Fri, Mar 16, 2007 at 10:47:37AM -0700, Brendan Cully wrote:
> On Thursday, 15 March 2007 at 17:40, Christoph Berg wrote:
> > # HG changeset patch
> > # User Christoph Berg <cb@xxxxxxxx>
> > # Date 1173976786 -3600
> > # Node ID 50bc0121e4a8b1c638fa56451d477a7cf3b1cbce
> > # Parent 5c2f2072a4dbfa69f2db7a93ae52b984f65e165c
> > Remove absolute paths.
>
> How about this as a compromise?
> # HG changeset patch
> # User Brendan Cully <brendan@xxxxxxxxxx>
> # Date 1174067159 25200
> # Node ID b60abb6d77e2c28a1f46ed22da36c2840c000f8f
> # Parent 08f9bb4b781028ad621d1debfee80c25be4dd81f
> Add --with-gpg and use it to set the path to gpg in gpg.rc
I'm sorry for taking so long to notice this thread. (I was looking through an
interesting thread from Gaëtan LEURENT, and noticed his comment about this
thread, so I decided to read it, and got quite a laugh. If you don't trust your
own $PATH, there's something fundamentally wrong with your environment. If you
want extra $PATH security when running Mutt, there's nothing stopping you from
wrapping Mutt with a $PATH sanitizer. The UNIX philosophy isn't to protect a
user from himself any more than the user himself decides to protect himself from
himself. Disabling OS features in the hopes that it'll cause The Right Thing
(TM) to happen is just plain bad. If I want a ~/bin controlled by my own user
rather than a shadow user, that's my own choice to make, and I should be allowed
to eat the cake I'm baking. It's not Mutt's place to refuse to honor my $PATH
just because IT doesn't trust it. If I trust it, what's Mutt's problem??? Just
for the record, I've had my own gpg.rc free of absolute paths for ages, and I
strongly believe that it's the only way to go. If the security of your $PATH
bothers you, UNIX gives you no shortage of tools to protect yourself. Having
programs decide to disobey the user's commands because of their own (misguided)
assumptions about system security makes no sense, since it puts users through
the same minefield that you're trying to put trojans through. Besides, since
gpg.rc is fairly standard, it's entirely trivial for a trojan to simply replace
your gpg.rc instead of your muttrc, and 99% of users will never notice that
their gpg has been hijacked by a virus that's not even in their $PATH! I guess
the point I'm making is that the security implications of $PATH are part of an
entirely different discussion list (comp.os.unix), and that our discussion here
is ridiculous, since most of the experts on the subject aren't even here. Mutt
should simply fit in with the rest of a POSIX system, so if POSIX says that user
applications should search $PATH for programs because it's a tool available to a
user to tell a program where to look for another program, who the hell are we to
deliberately break compatibility???)
That said, I'd like to propose a compromise almost exactly the same as Brendan
Cully's suggestion, but to have the default simply have "gpg" in your gpg.rc,
rather than trying to find it at configure time, and screw the user over. In
other words, my suggestion is to give users (and package maintainers, for that
matter) the opportunity to configure Mutt any way they want, but to have the
default behavior be the only correct behavior: to honor the user's wishes, since
POSIX (unlike our friend Bill) says that the user is the boss.
Just my pair of rusty pennies,
- Dave