New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential security risk for devs: Makefile adds $GOPATH/bin in the beginning of PATH #8325
Comments
It's extremely common for Go developers to have How would option #3 address the security concerns? If someone could get a malicious We'll have to stop using |
The problem arises when Option 3. addresses the security concerns, because potentially bad binaries that live in Rephrasing myself from golang/go#16601 (comment) (potential scenario):
|
If you do something like Option 3 protects against scenarios involving bad binaries installed under an unexpected name, but it doesn't help if the package is modified in place without changing its name. If you |
I agree, the problem is with using I just want to minimize the risk. BTW we are using option 2. -- for different reasons (clean builds, pre-push git hooks). |
Now that we've switched to vendored sources, I've started looking at being more precise about when we install/update tools (e.g. #12029) and can also add where we install them to that effort. Most callsites should be pretty easy to switch to |
@dt do you think this is still an issue, and if so, what milestone should we put it under? I'm trying to get rid of the Q1 2017 milestone. |
@benesch is actively working on this actually! |
@benesch You've fixed this, right? |
Yep! We no longer add |
Problem is in
cockroach/Makefile
Line 42 in c1d97b7
Please supply the header (i.e. the first few lines) of your most recent
log file for each node in your cluster. On most unix-based systems
running with defaults, this boils down to the output of
Did it on c1d97b7
Please describe the issue you observed:
For a longer discussion see cmd/go: should go install/get blacklist common binary names, such as go, rm, cp? golang/go#16601
I happened to have a binary named
go
in my$GOPATH/bin
.Steps to reproduce:
build proceeding normally
Imagine that the
go
binary I managed to get into my$GOPATH/bin
was malicious.It would go unnoticed (and harmless) until I try to build cokroach.
Possible solutions
go
toolchain, to prevent a binary namedgo
from getting into my$GOPATH/bin
. See cmd/go: should go install/get blacklist common binary names, such as go, rm, cp? golang/go#16601GOPATH
before building (only building what is committed, ignoring the dirty state). Might be slow.The text was updated successfully, but these errors were encountered: