[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: kdesu overrides user's PATH with hardcoded path
From: Tony Wolf <wolf () os-forge ! net>
Date: 2008-08-12 21:36:00
Message-ID: 48A20240.1010203 () os-forge ! net
[Download RAW message or body]
ah thx. now I got the idea behind it! Yes, this improves security :)
Guillaume Pothier wrote:
>> If I like to use the "cracked" executable, then I'm able to use the full
>> path. So there is no "limitation" to use it anyway.
>>
>>
>
> Yes, you can use it if you really want to, but you are less likely to
> use it by mistake.
> g
>
>
>> Or did I miss something?
>>
>> Best regards
>>
>> Tony
>>
>> Guillaume Pothier wrote:
>>
>>> My 2 cents: there should be a comment explaining this in the file.
>>> That would prevent someone to accidentally "fix" the security feature.
>>> eg:
>>> // SECURITY: The system path is intentionally added before the user path.
>>> // (user-installed programs can be run using their absolute path)
>>>
>>> g
>>>
>>> On Tue, Aug 12, 2008 at 3:39 PM, Michael Pyne <mpyne@purinchu.net> wrote:
>>>
>>>
>>>> On Tuesday 12 August 2008, John Tapsell wrote:
>>>>
>>>>
>>>>
>>>>> 2008/8/12 Romain GUINOT <romainguinot@gmail.com>:
>>>>>
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have found a small bug in kdesu's stub.cpp source file.
>>>>>>
>>>>>> It overrides the user's own $PATH by adding
>>>>>>
>>>>>> "/sbin:/bin:/usr/sbin:/usr/bin:" in front of it . This does not
>>>>>>
>>>>>> interfere for most users, but is a problem when you sometimes have a few
>>>>>>
>>>>>> local binaries sitting in non default directories. When this is the
>>>>>> case,
>>>>>>
>>>>>> kdesu picks up the "wrong" standard one.
>>>>>>
>>>>>> The fix is extremely simple, just add the hardcoded path after the
>>>>>> user's
>>>>>>
>>>>>> $PATH instead of before. The patch is attached.
>>>>>>
>>>>>> I am not sure if describing/fixing it here is the best way to go ?
>>>>>> should
>>>>>>
>>>>>> i create a bug report and reference it here in place of describing it
>>>>>>
>>>>>> here ?
>>>>>>
>>>>>>
>>>>> It would seem to me to be a security feature than a bug. Canyou give
>>>>>
>>>>> an actual use case/ example of why you'd not want this?
>>>>>
>>>>>
>>>> Indeed, if it is actually necessary to run a user's version specifically of
>>>> an application it is more reliable in general to use the absolute path to
>>>> the application instead of relying on PATH.
>>>>
>>>> Prepending instead of appending to the user PATH prevents duplicity
>>>> involving depositing a sinister ls program in the user's directory and then
>>>> having the user inadvertently run the corrupt ls when he meant /bin/ls. This
>>>> is especially dangerous when running the program via su or sudo.
>>>>
>>>> Regards,
>>>>
>>>> - Michael Pyne
>>>>
>>>>
>>>>
>>>>>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe
>>>>>> <<
>>>>>>
>>>>>>
>>>
>>>>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
>>>>>
>>>>>
>>>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
>>>>
>
>
>>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
>>>
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic