coolo at kde.org
Wed Jun 5 08:31:02 BST 2002
-----BEGIN PGP SIGNED MESSAGE-----
On Dienstag, 4. Juni 2002 12:45, Allan Sandfeld Jensen wrote:
> On Tuesday 04 June 2002 11:37, Stephan Kulow wrote:
> > Hi!
> > Some tools expect /sbin to be part of the root path as "su"
> > adds them (I'm not sure if it's set by some environment files
> > or if it's added by su itself - "su -" surely sets it through the
> > profile)
> > Anyway, kdesu doesn't behave like that, so /sbin is missing.
> > Anyone objecting against the following patch?
> > Greetings, Stephan
> > + if (!path.isEmpty())
> > + path = "/sbin:/usr/sbin:" + path;
> > + else
> > + path = "/sbin:/usr/sbin";
> In case the path is empty shouldnt we use the full standard path and
> include /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Actually I don't expect the path to be empty for a user. It was just a
fallback in the code to not crash or look into . (I've seen an exploit once
where LD_LIBRARY_PATH=/usr/lib: means to look into . and you could
create an exploit glibc clone.
> Also if you look at the environment after running su. It seems it does run
> profile it just doesnt clear the environment first:
> Princess:/etc% echo $PATH
>:/usr/bin/X11:/usr/games Princess:/etc% su
> Princess:/etc# echo $PATH
> Princess:/etc# exit
I'm aware of that, but su gives you also a complete shell while kdesu only
calls a specific program and if you would remove e.g. /opt/kde3/bin from that
PATH, it would be bad. As I wrote, this is about apps that are called from
kdesu, that don't cover the case beeing called from kdesu (e.g. without /sbin
in PATH). The same would be true for apps that are called from su -p
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the kde-core-devel