...
Note that the second alternative grants permission to execute any program. Consequently, we strongly recommend that permissions should be restricted granted only on a per file whenever basis, when possible. Do this by specifying absolute paths in the security policy file (, as in the first alternative above).
Risk Assessment
OS command injection can cause arbitrary programs to be executed.
...