'Re: kdesu overrides user's PATH with hardcoded path'

[prev in list] [next in list] [prev in thread] [next in thread] 

List: kde-devel
Subject: Re: kdesu overrides user's PATH with hardcoded path
From: Romain <romainguinot () gmail ! com>
Date: 2008-08-12 20:46:24
Message-ID: ae44b51f0808121346h759fe09bhd068fb9b72c78d75 () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

I understand you guys on a security standpoint.
I guess what i was trying to say is that if a KDE application is relying on
system PATH to pickup an application , it will pickup the non localized
version of it . As you say this is probably good security wise and i didn't
think of it this way... Glad we discussed it.

My comment was general, now trying to find an example where this would be
annoying as someone mentionned i found a simple one :
looking at the simple clock applet, it is calling ntpdate that's on system
path , overriden by kdesu if you choose to sync your clock over NTP. Say you
wanted to use your own ntpdate for whichever reason, you would have to place
it in /bin for example , provided it is before the standard one located in
/usr/bin in the overriden path, instead of a */local variation...This is
indeed minor

I also agree that a code comment of why this is hardcoded would be nice .

Cheers ,
Romain.

On Tue, Aug 12, 2008 at 7:24 PM, Romain GUINOT <romainguinot@gmail.com>wrote:

> Hi,
>
> I have found a small bug in kdesu's stub.cpp source file.
> It overrides the user's own $PATH by adding
> "/sbin:/bin:/usr/sbin:/usr/bin:"  in front of it .
> This does not interfere for most users, but is a problem when you sometimes
> have a few local binaries sitting in non default
> directories. When this is the case, kdesu picks up the "wrong" standard
> one.
>
> The fix is extremely simple, just add the hardcoded path after the user's
> $PATH instead of before.
> The patch is attached.
>
> I am not sure if describing/fixing it here is the best way to go ? should i
> create a bug report and reference it here in place of
> describing it here ?
>
> Thanks,
> Romain.
>
>
>

[Attachment #5 (text/html)]

<div dir="ltr">I understand you guys on a security standpoint. I guess what i was \
trying to say is that if a KDE application is relying on system PATH to pickup an \
application , it will pickup the non localized version of it . As you say this is \
probably good security wise and i didn&#39;t think of it this way... Glad we \
discussed it. My comment was general, now trying to find an example where \
this would be annoying as someone mentionned i found a simple one : looking at \
the simple clock applet, it is calling ntpdate that&#39;s on system path , overriden \
by kdesu if you choose to sync your clock over NTP. Say you wanted to use your own \
ntpdate for whichever reason, you would have to place it in /bin for example , \
provided it is before the standard one located in /usr/bin in the overriden path, \
instead of a */local variation...This is indeed minor I also agree that a \
code comment of why this is hardcoded would be nice . Cheers , \
 Romain. &nbsp; <div class="gmail_quote">On Tue, Aug 12, 2008 at 7:24 \
PM, Romain GUINOT &lt;<a \
href="mailto:romainguinot@gmail.com">romainguinot@gmail.com</a>&gt; wrote: \
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); \
margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi, 
I have found a small bug in kdesu&#39;s stub.cpp source file. 
It overrides the user&#39;s own $PATH by adding \
&quot;/sbin:/bin:/usr/sbin:/usr/bin:&quot; &nbsp;in front of it . This does not \
interfere for most users, but is a problem when you sometimes have a few local \
binaries sitting in non default directories. When this is the case, kdesu picks \
up the &quot;wrong&quot; standard one. 
The fix is extremely simple, just add the hardcoded path after the user&#39;s $PATH \
instead of before. The patch is attached. 
 
I am not sure if describing/fixing it here is the best way to go ? should i create a \
bug report and reference it here in place of describing it here ? 
 
Thanks, 
Romain. 
 
 
</blockquote></div> </div>

>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

[prev in list] [next in list] [prev in thread] [next in thread] 