On Fri, Dec 18, 2015 at 4:40 PM Thurston, John R (DOA) < john.thurston at alaska.gov> wrote:
Better, this behavior should be disallowed by default and enabled only by explicit action on the client. If you control the client, then it will be no big deal to enable on each host. If you don't control the client, then it should default to a closed configuration.
I would agree, if backticks were a new feature. But we don't want to break things for installations that make use of this. Perhaps change the default for a major release?
Also, I think the "secure" form of execution should be enhanced to be able to do globbing. In that way, many people will be able to convert from this:
file:echo /var/log/*/somefile
to this:
file:/var/log/*/somefile
without executing anything.
On Thu, December 17, 2015 10:31 pm, Jeremy Laidman wrote:
On Fri, Dec 18, 2015 at 4:40 PM Thurston, John R (DOA) < john.thurston at alaska.gov> wrote:
Better, this behavior should be disallowed by default and enabled only by explicit action on the client. If you control the client, then it will be no big deal to enable on each host. If you don't control the client, then it should default to a closed configuration.
I would agree, if backticks were a new feature. But we don't want to break things for installations that make use of this. Perhaps change the default for a major release?
Also, I think the "secure" form of execution should be enhanced to be able to do globbing. In that way, many people will be able to convert from this:
file:
echo /var/log/*/somefileto this:
file:/var/log/*/somefile
without executing anything.
This is another excellent idea. glob() is straight out of POSIX as well, which makes things easy-ish to add for any system halfway recent.
Regards, -jc
participants (2)
-
cleaver@terabithia.org
-
jlaidman@rebel-it.com.au