Security risk in setting up $LD_LIBRARY_PATH by KDE script
Vlad
vladc6 at yahoo.com
Mon Feb 18 18:17:49 GMT 2008
Hi,
The KDE script
(http://techbase.kde.org/index.php?title=Getting_Started/Increased_Productivity_in_KDE4_with_Scripts/.bashrc)
that developers are encouraged to place in their ~/.bashrc file
contains the following line:
export LD_LIBRARY_PATH=$KDEDIR/lib:$QTDIR/lib:$LD_LIBRARY_PATH
If $LD_LIBRARY_PATH is empty before the above line is executed, then
the $LD_LIBRARY_PATH after that line will end in a colon (:).
$ echo $LD_LIBRARY_PATH
/home/kde-devel/qt-copy/lib:/home/kde-devel/kde/lib:
This causes files such as tls, i686, sse2, cmov and libc.so.6 to be
searched for in the current directory (.). Wouldn't this be a security
risk?
Removing the final colon from $LD_LIBRARY_PATH prevents searching the
current directory. Shouldn't we therefore first check whether
$LD_LIBRARY_PATH is empty?
if [[ $LD_LIBRARY_PATH = "" ]]
then export LD_LIBRARY_PATH=$QTDIR/lib:$KDEDIR/lib
else export
LD_LIBRARY_PATH=$QTDIR/lib:$KDEDIR/lib:$LD_LIBRARY_PATH
fi
Thanks,
Vlad
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
More information about the kde-core-devel
mailing list