[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: kdesu overrides user's PATH with hardcoded path
From: "Guillaume Pothier" <gpothier () gmail ! com>
Date: 2008-08-12 21:30:22
Message-ID: 8caa8ded0808121430i75aeb034t2d2fecdfc34d81d8 () mail ! gmail ! com
[Download RAW message or body]
>
> If I like to use the "cracked" executable, then I'm able to use the full
> path. So there is no "limitation" to use it anyway.
>
Yes, you can use it if you really want to, but you are less likely to
use it by mistake.
g
> Or did I miss something?
>
> Best regards
>
> Tony
>
> Guillaume Pothier wrote:
>> My 2 cents: there should be a comment explaining this in the file.
>> That would prevent someone to accidentally "fix" the security feature.
>> eg:
>> // SECURITY: The system path is intentionally added before the user path.
>> // (user-installed programs can be run using their absolute path)
>>
>> g
>>
>> On Tue, Aug 12, 2008 at 3:39 PM, Michael Pyne <mpyne@purinchu.net> wrote:
>>
>>> On Tuesday 12 August 2008, John Tapsell wrote:
>>>
>>>
>>>> 2008/8/12 Romain GUINOT <romainguinot@gmail.com>:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have found a small bug in kdesu's stub.cpp source file.
>>>>>
>>>>> It overrides the user's own $PATH by adding
>>>>>
>>>>> "/sbin:/bin:/usr/sbin:/usr/bin:" in front of it . This does not
>>>>>
>>>>> interfere for most users, but is a problem when you sometimes have a few
>>>>>
>>>>> local binaries sitting in non default directories. When this is the
>>>>> case,
>>>>>
>>>>> kdesu picks up the "wrong" standard one.
>>>>>
>>>>> The fix is extremely simple, just add the hardcoded path after the
>>>>> user's
>>>>>
>>>>> $PATH instead of before. The patch is attached.
>>>>>
>>>>> I am not sure if describing/fixing it here is the best way to go ?
>>>>> should
>>>>>
>>>>> i create a bug report and reference it here in place of describing it
>>>>>
>>>>> here ?
>>>>>
>>>> It would seem to me to be a security feature than a bug. Canyou give
>>>>
>>>> an actual use case/ example of why you'd not want this?
>>>>
>>> Indeed, if it is actually necessary to run a user's version specifically of
>>> an application it is more reliable in general to use the absolute path to
>>> the application instead of relying on PATH.
>>>
>>> Prepending instead of appending to the user PATH prevents duplicity
>>> involving depositing a sinister ls program in the user's directory and then
>>> having the user inadvertently run the corrupt ls when he meant /bin/ls. This
>>> is especially dangerous when running the program via su or sudo.
>>>
>>> Regards,
>>>
>>> - Michael Pyne
>>>
>>>
>>>>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe
>>>>> <<
>>>>>
>>>
>>
>>
>>>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
>>>>
>
>>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
>
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic