search

linux-surface / surface-uefi-firmware

UEFI firmware updates for surface using fwupd. WIP, be careful.
112 stars 9 forks source link

`find ... -execdir ...` fails when `$PATH` has any user-local path defined #38

Closed christophfink closed 5 months ago

christophfink commented 6 months ago

Context:

In my .bashrc, I include ~/.local/bin in $PATH, in order to run user-local applications. find’s -execdir option refuses to run when . is in $PATH, as it would allow overriding the invoked binaries (note that my case is, in fact, a false positive w.r.t. the threat described in find’s man page).

Command run:

repack.sh -o fwupdates SurfacePro9_Win11_22621_24.042.24278.0.msi

Expected result:

Firmware files are unpacked/repacked

Actual result:

repack.sh fails with the following error:

find: The relative path ‘~/.local/bin/’ is included in the PATH environment variable, which is insecure in combination with the -execdir action of find.  Please remove that entry from $PATH

Suggested remedy:

For the use case, the -exec option of find would work just as well, and does not have the related security implications or the consequent checks

qzed commented 5 months ago

Should be fixed by #39. So I guess we can close this.