[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    Re: F40 Change Proposal: F40 Change Proposal: Unify /usr/bin and /usr/sbin (System-Wide)
From:       Zbigniew =?utf-8?Q?J=C4=99drzejewski-Szmek?= <zbyszek () in ! waw ! pl>
Date:       2024-01-08 13:48:54
Message-ID: ZZv9RnLpekM0Z4jD () kawka3 ! in ! waw ! pl
[Download RAW message or body]

On Sun, Jan 07, 2024 at 04:58:23AM +0100, Kevin Kofler via devel wrote:
> Kevin Kofler via devel wrote:
> > Aoife Moloney wrote:
> > > == Summary ==
> > > The `/usr/sbin` directory becomes a symlink to `bin`, which means
> > > paths like `/usr/bin/foo` and `/usr/sbin/foo` point to the same place.
> > > `/bin` and `/sbin` are already symlinks to `/usr/bin` and `/usr/sbin`,
> > > so effectively `/bin/foo` and `/sbin/foo` also point to the same
> > > place. `/usr/sbin` will be removed from the default `$PATH`.
> > 
> > I am against this because it breaks my kannolo-root-unlocker package:
> > https://svn.calcforge.org/viewvc/kannolo/trunk/packages/kannolo-root-unlocker/kannolo-root-unlocker.spec?revision=270&view=markup
> >  
> > I do not want to patch/overwrite the binaries in /usr/bin (because it will
> > make the RPM verify fail, and also historically because it breaks
> > deltarpms, though AIUI we do not support those anymore anyway), so I put
> > the ones patched to accept running as root into /usr/sbin, which is
> > conveniently before /usr/bin in root's PATH. This change breaks that.
> > 
> > If this is implemented, I will have to change the kannolo-root-unlocker to
> > patch the binaries in place. But people who have the old version of
> > kannolo- root-unlocker installed may end up with corrupt binaries, because
> > the scriptlets of course do not expect %{_bindir} and %{_sbindir} to be
> > the same or symlinks to the same. (They are different macros for a
> > reason.)
> 
> Note that I already thought of using /usr/local/bin, in fact this was my 
> first attempt, but that does not work because kdesu does not search in 
> /usr/local/bin, and the KDE SIG also refused to fix that.

It really sounds like something to fix in kdesu.

Stripping directories out of $PATH is a not-thought-through security
theater. Essentially, by the time we get to kdesu, the system already
went through the full boot processes, including the whole graphical
session, so if there's an attacker who managed to put a rogue binary
in /usr/local/bin or /usr/local/sbin which are in the system $PATH,
the game is looooong over.

(Or in other words, if you can put a rogue binary there and execute
code as root as various points in the boot process, easily and
undectably, why would you wait until a human user happens to execute
kdesu??.)

Zbyszek
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
 Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


[prev in list] [next in list] [prev in thread] [next in thread]