- Use the altconfig option in your script to explicitly set the location of the configuration file.
- Make sure that only the script can read the configuration file if it contains any sensitive information (such as passphrases).
Anchor _Ref21166641 _Ref21166641Make sure that the configuration file specifies a temporary directory, even if PKZIP will never need to create temporary files.
PKZIP uses configuration files to determine what defaults are set for options and sub-options. If a configuration file is not explicitly set in your script with the altconfig option, PKZIP looks for a configuration file in the current directory. A malicious user could put a configuration file in the directory where the script runs and thereby change the behavior of PKZIP. This could result in the wrong files (or even no files at all) being compressed or extracted. It could cause the extracted files to have different permissions after they are extracted, or it could even cause a self-extracting file (SFX) you create to ask the user to run some program after the SFX is run. This program could be a Trojan horse created by the malicious user and added by the configuration file.
Just as it is dangerous not to explicitly specify a configuration file, it is also dangerous to let anyone change the file. Allowing a user to change the file creates the same risk as allowing a user to create one from scratch. Similarly, the directory containing the file should be protected so that the file cannot be removed and then replaced with a new one.
To specify a configuration file for your script, use the altconfig option. This option can be used to create, update, or just read a custom configuration file (for example, one intended for use specifically with your script).
The following command creates an alternate configuration file newconfig.xml in the current directory. The default option used with the config command initializes default settings to their original values.
pkzipc -altconfig=newconfig.xml -config -default