Say I want to do source $VIRTUAL_ENV/bin/activate
in my bashrc whenever the VIRTUAL_ENV is defined.
In general, the idea of running a script pointed by an environment variable seems a bit fishy as it can by writable by other users. So it would seem a check of permissions is desirable, in a fashion similar to the .ssh/config
. Is that the common practice?
On the other hand, the VIRTUAL_ENV goes into PATH anyway, so if anyone managed to tamper with that directory, you're screwed anyway, why bother. Or rather than give up you can go deeper and ensure that any directory added to PATH is writable by root+yourself only.
So what are the good practices on what to trust and not to trust regarding the process environment? I'm somewhat surprised shells don't already validate the permissions on directories that're added to PATH.