[Bro-Dev] #442: Hardcode Python path

Bro Tracker bro at tracker.bro-ids.org
Wed May 25 13:06:32 PDT 2011 

#442: Hardcode Python path
-------------------------+--------------------
  Reporter:  robin       |      Owner:  jsiwek
      Type:  Problem     |     Status:  new
  Priority:  Normal      |  Milestone:  Bro1.6
 Component:  BroControl  |    Version:
Resolution:              |   Keywords:
-------------------------+--------------------

Comment (by jsiwek):

 Here's Craig's response that convinced me of taking the approach he
 proposed:
 {{{
 >> BroControl currently uses `#! /usr/bin/env` to find the Python
 >> binary at runtime. Craig suggested this instead:
 >
 > Craig, can you explain more about what the problem was in this ticket?
 > I didn't understand how configuring the python shebang to a full path at
 build time was better than using the env shebang.

 If you use env, you'll pick up whatever version of python is first on
 the path instead of the version that was first on the path when broctl
 was built. This will be different for different users and can result in
 unexpected results and possible brokenness.

 The specific python binary path should be considered part of the broctl
 config so that the package builder is able to control it by setting the
 path when building broctl. Also, the end user only as to have broctl on
 his path to be able to run it.

 For example on FreeBSD, /usr/local/bin is not on the default path; the
 default path is used at bootup so if broctl doesn't have the path built
 in, it can't find python when it's run from a rc.d script. You could add
 /usr/local/bin to the path but that won't be right 100% of the time for
 all installations.

 > If an absolute path to a python interpreter is set in the shebang
 > at configure/build time, then to change the python interpreter that
 > is used, the user has to either (1) edit the script(s) or (2)
 > re-configure/build/install broctl. These seem like the more
 > "difficult"  options to me.

 (How often does this actually happen?)

 Editing the scripts seems wrong; if you later rebuild (say to install a
 newer version) your changes will get over written.

 The binary executable is part of the broctl configuration so having to
 re-configure/build/install broctl to use a different python sounds
 completely reasonable to me.

 From my perspective, the inconvenience of rebuilding broctl seems minor
 compared to having different users picking up different versions of
 python.

 Finally, some folks consider it a security issue to use #!/usr/bin/env
 }}}

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/442#comment:2>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list