Re: compinit trusts .zcompdump even when it's owned by a different user?

zsh-users
 help / color / mirror / code / Atom feed

From: Nick Irvine <nfirvine@nfirvine.com>
To: Peter Stephenson <p.stephenson@samsung.com>, zsh-users@zsh.org
Subject: Re: compinit trusts .zcompdump even when it's owned by a different user?
Date: Wed, 6 Jan 2016 15:41:29 -0800	[thread overview]
Message-ID: <CAEiyHin3DDhcvLZaM_rw0oOwb9BfXdvhOPXBJq+Qf6CZ6hPo8Q@mail.gmail.com> (raw)
In-Reply-To: <20160106093659.2cd1ad5d@pwslap01u.europe.root.pri>

[-- Attachment #1: Type: text/plain, Size: 1597 bytes --]

>
> The standard fix for this is to point different users at different
> files.  Run compinit with the -d option, e.g.
>
> compinit -d ~/.compdump_${USER}
>
> This is the only way you're going to have two users in the same area
> with the same basic environment (home directory in particular)
> co-existing (regardless of compaudit).
>

I'm inclined to agree. I'm using prezto and they do compinit for you. Am
trying to convince maintainer that a -d is a good idea.

The security issue is a separate one and I don't have a glib answer to
> that.  I think the assumption has been the dump file, unlike the
> contents of your $fpath, will always be written in an area to which no
> one other than you and the superuser has access, unless you've
> explicitly given it to someone.  Certainly, as currently implemented,
> compaudit is really there to check for zsh functions you don't want to
> autoload owing to the fact that $fpath might point at anything --- not as
> a security check for files in your own area, which is a whole different
> ball game.  If you're worried about the dump file, why are .zshrc or
> .zshenv, typically in the same area, not even more of a worry?
>

Yep, good points. It's more a matter of my expectations: I didn't expect
zsh to trust a cache owner by another, so it added to my confusion.

Anyway...

After some more debugging, I found out that awscli's zsh completion script
(which I was sourcing) was causing compinit to be run again, causing havoc.
So I've fixed my problem (in that I can't repro it now). Not sure if
there's still anything to be done here or not.

     prev parent reply	other threads:[~2016-01-06 23:41 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-01-06  1:58 Nick Irvine
2016-01-06  9:36 ` Peter Stephenson
2016-01-06 23:41   ` Nick Irvine [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAEiyHin3DDhcvLZaM_rw0oOwb9BfXdvhOPXBJq+Qf6CZ6hPo8Q@mail.gmail.com \
    --to=nfirvine@nfirvine.com \
    --cc=p.stephenson@samsung.com \
    --cc=zsh-users@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).