1

I am building a program that relies on a series of external programs (pandoc, samtools, vcflib, etc..). To ensure that the correct versions are being used, I have downloaded the binaries for all of them and placed them in a bin directory, included with the program. When the program runs, I want to make sure that these are the versions used, regardless of other system installed versions.

Is it generally considered safe for the program to run a command like PATH=~/my_program/bin:$PATH to add its own binaries to the beginning of the $PATH?

I saw related questions here and here but was not clear if implementing this was actually advisable or not, or if there might be unintended consequences under these circumstances.

Community
  • 1
user5359531
  • 407
  • Better than that would likely be placing the binaries in one of the directories on path, such as /usr/local/bin. Alternatively you could look at docker which acts as a sandbox for software to ensure the software you include is used. https://www.docker.com/ – Centimane Jan 12 '17 at 17:59
  • Good suggestions, unfortunately I am using a CentOS 6 server which is not compatible with Docker, and do not have access to those sorts of locations. – user5359531 Jan 12 '17 at 18:05
  • In that case, I would recommend running the software in a chroot. I don't recommend this for "security", but rather so that you can be sure of exactly what is being used by your application, and sure that you aren't effecting the path of other software. – Centimane Jan 12 '17 at 19:50

1 Answers1

3

It depends on what you mean by safe. If the place your program is kept on disk is not writable by other users, then it is safe in the sense that it's just another PATH that users can't exploit by tricking your software to run something else.

It's not safe in the sense that copying binaries to your software directory is not portable and will not benefit from security patches. But if you understand your own custom deployment, then it might not be an issue.

Angelo
  • 1,941
  • 2
    If the PATH is modified only for the program he's writing, and if he trusts the binaries that he has installed, then I'd recon it would be "safe". Some software requires a separate PATH to be set up, pointing to a separate bin directory with utilities, usually MYSOFTWARE_PATH or something. I believe what happens next is just that PATH is prepended with this separate path for the duration of execution. – Kusalananda Jan 12 '17 at 19:13
  • my intended implementation would have a user git clone the program's repo to install it, and a bin directory would be included in the repo where the program's preferential binaries would be stored. – user5359531 Jan 12 '17 at 19:30