[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: kdesu overrides user's PATH with hardcoded path
From: "Guillaume Pothier" <gpothier () gmail ! com>
Date: 2008-08-12 19:50:42
Message-ID: 8caa8ded0808121250v3d679ba6qa61fd042deaf7c9f () mail ! gmail ! com
[Download RAW message or body]
My 2 cents: there should be a comment explaining this in the file.
That would prevent someone to accidentally "fix" the security feature.
eg:
// SECURITY: The system path is intentionally added before the user path.
// (user-installed programs can be run using their absolute path)
g
On Tue, Aug 12, 2008 at 3:39 PM, Michael Pyne <mpyne@purinchu.net> wrote:
> On Tuesday 12 August 2008, John Tapsell wrote:
>
>> 2008/8/12 Romain GUINOT <romainguinot@gmail.com>:
>
>> > Hi,
>
>> >
>
>> > I have found a small bug in kdesu's stub.cpp source file.
>
>> > It overrides the user's own $PATH by adding
>
>> > "/sbin:/bin:/usr/sbin:/usr/bin:" in front of it . This does not
>
>> > interfere for most users, but is a problem when you sometimes have a few
>
>> > local binaries sitting in non default directories. When this is the
>> > case,
>
>> > kdesu picks up the "wrong" standard one.
>
>> >
>
>> > The fix is extremely simple, just add the hardcoded path after the
>> > user's
>
>> > $PATH instead of before. The patch is attached.
>
>> >
>
>> > I am not sure if describing/fixing it here is the best way to go ?
>> > should
>
>> > i create a bug report and reference it here in place of describing it
>
>> > here ?
>
>>
>
>> It would seem to me to be a security feature than a bug. Canyou give
>
>> an actual use case/ example of why you'd not want this?
>
> Indeed, if it is actually necessary to run a user's version specifically of
> an application it is more reliable in general to use the absolute path to
> the application instead of relying on PATH.
>
> Prepending instead of appending to the user PATH prevents duplicity
> involving depositing a sinister ls program in the user's directory and then
> having the user inadvertently run the corrupt ls when he meant /bin/ls. This
> is especially dangerous when running the program via su or sudo.
>
> Regards,
>
> - Michael Pyne
>
>>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe
>>> <<
>
>
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic