kdesu patch

Stephan Kulow coolo at kde.org
Wed Jun 5 08:31:02 BST 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Dienstag, 4. Juni 2002 12:45, Allan Sandfeld Jensen wrote:
> On Tuesday 04 June 2002 11:37, Stephan Kulow wrote:
> > Hi!
> >
> > Some tools expect /sbin to be part of the root path as "su"
> > adds them (I'm not sure if it's set by some environment files
> > or if it's added by su itself - "su -" surely sets it through the
> > profile)
> >
> > Anyway, kdesu doesn't behave like that, so /sbin is missing.
> > Anyone objecting against the following patch?
> >
> > Greetings, Stephan
> >
> > +               if (!path.isEmpty())
> > +                   path = "/sbin:/usr/sbin:" + path;
> > +               else
> > +                   path = "/sbin:/usr/sbin";
>
> In case the path is empty shouldnt we use the full standard path and
> include /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Actually I don't expect the path to be empty for a user. It was just a 
fallback in the code to not crash or look into . (I've seen an exploit once 
where LD_LIBRARY_PATH=/usr/lib: means to look into . and you could
create an exploit glibc clone.
>
> Also if you look at the environment after running su. It seems it does run
> profile it just doesnt clear the environment first:
>
> Princess:/etc% echo $PATH
> /opt/kde3/bin:/opt/qt3/bin:/usr/local/bin:/usr/bin:/usr/intel/ia32/bin:/bin
>:/usr/bin/X11:/usr/games Princess:/etc% su
> Password:
> Princess:/etc# echo $PATH
> /sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin
> Princess:/etc# exit
I'm aware of that, but su gives you also a complete shell while kdesu only 
calls a specific program and if you would remove e.g. /opt/kde3/bin from that
PATH, it would be bad. As I wrote, this is about apps that are called from
kdesu, that don't cover the case beeing called from kdesu (e.g. without /sbin
in PATH). The same would be true for apps that are called from su -p

Greetings, Stephan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8/b42wFSBhlBjoJYRAgxeAJ41R8cXX44W3HLOpEwTje+RNgiWNgCgxh+2
9cvID6ffWXn9Jck3FTm0Aro=
=hvPH
-----END PGP SIGNATURE-----

More information about the kde-core-devel mailing list