[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: kdesu overrides user's PATH with hardcoded path
From: Michael Pyne <mpyne () purinchu ! net>
Date: 2008-08-12 19:39:42
Message-ID: 200808121539.47445.mpyne () purinchu ! net
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/alternative)]
On Tuesday 12 August 2008, John Tapsell wrote:
> 2008/8/12 Romain GUINOT <romainguinot@gmail.com>:
> > Hi,
> >
> > I have found a small bug in kdesu's stub.cpp source file.
> > It overrides the user's own $PATH by adding
> > "/sbin:/bin:/usr/sbin:/usr/bin:" in front of it . This does not
> > interfere for most users, but is a problem when you sometimes have a few
> > local binaries sitting in non default directories. When this is the case,
> > kdesu picks up the "wrong" standard one.
> >
> > The fix is extremely simple, just add the hardcoded path after the user's
> > $PATH instead of before. The patch is attached.
> >
> > I am not sure if describing/fixing it here is the best way to go ? should
> > i create a bug report and reference it here in place of describing it
> > here ?
>
> It would seem to me to be a security feature than a bug. Canyou give
> an actual use case/ example of why you'd not want this?
Indeed, if it is actually necessary to run a user's version specifically of an
application it is more reliable in general to use the absolute path to the
application instead of relying on PATH.
Prepending instead of appending to the user PATH prevents duplicity involving
depositing a sinister ls program in the user's directory and then having the
user inadvertently run the corrupt ls when he meant /bin/ls. This is
especially dangerous when running the program via su or sudo.
Regards,
- Michael Pyne
[Attachment #7 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" \
"http://www.w3.org/TR/REC-html40/strict.dtd"> <html><head><meta name="qrichtext" \
content="1" /><style type="text/css"> p, li { white-space: pre-wrap; }
</style></head><body style=" font-family:'Consolas'; font-size:11pt; font-weight:400; \
font-style:normal;"> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; \
margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">On Tuesday \
12 August 2008, John Tapsell wrote:</p> <p style=" margin-top:0px; margin-bottom:0px; \
margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; \
-qt-user-state:0;">> 2008/8/12 Romain GUINOT <romainguinot@gmail.com>:</p> \
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> > Hi,</p> <p style=" \
margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> ></p> <p style=" \
margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> > I have found a \
small bug in kdesu's stub.cpp source file.</p> <p style=" margin-top:0px; \
margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; \
text-indent:0px; -qt-user-state:0;">> > It overrides the user's own $PATH by \
adding</p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; \
margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> > \
"/sbin:/bin:/usr/sbin:/usr/bin:" in front of it . This does not</p> <p style=" \
margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> > interfere for most \
users, but is a problem when you sometimes have a few</p> <p style=" margin-top:0px; \
margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; \
text-indent:0px; -qt-user-state:0;">> > local binaries sitting in non default \
directories. When this is the case,</p> <p style=" margin-top:0px; margin-bottom:0px; \
margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; \
-qt-user-state:0;">> > kdesu picks up the "wrong" standard one.</p> <p style=" \
margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> ></p> <p style=" \
margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> > The fix is \
extremely simple, just add the hardcoded path after the user's</p> <p style=" \
margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> > $PATH instead of \
before. The patch is attached.</p> <p style=" margin-top:0px; margin-bottom:0px; \
margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; \
-qt-user-state:0;">> ></p> <p style=" margin-top:0px; margin-bottom:0px; \
margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; \
-qt-user-state:0;">> > I am not sure if describing/fixing it here is the best \
way to go ? should</p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; \
margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> > i \
create a bug report and reference it here in place of describing it</p> <p style=" \
margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> > here ?</p> <p \
style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;">></p> <p style=" \
margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> It would seem to me to \
be a security feature than a bug. Canyou give</p> <p style=" margin-top:0px; \
margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; \
text-indent:0px; -qt-user-state:0;">> an actual use case/ example of why you'd not \
want this?</p> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; \
margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; \
-qt-user-state:0;"></p> <p style=" margin-top:0px; margin-bottom:0px; \
margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; \
-qt-user-state:0;">Indeed, if it is actually necessary to run a user's version \
specifically of an application it is more reliable in general to use the absolute \
path to the application instead of relying on PATH.</p> <p \
style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; \
margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p> <p \
style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Prepending instead of \
appending to the user PATH prevents duplicity involving depositing a sinister ls \
program in the user's directory and then having the user inadvertently run the \
corrupt ls when he meant /bin/ls. This is especially dangerous when running the \
program via su or sudo.</p> <p style="-qt-paragraph-type:empty; margin-top:0px; \
margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; \
text-indent:0px; -qt-user-state:0;"></p> <p style=" margin-top:0px; \
margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; \
text-indent:0px; -qt-user-state:0;">Regards,</p> <p style=" margin-top:0px; \
margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; \
text-indent:0px; -qt-user-state:0;"> - Michael Pyne</p></body></html>
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic