Security risk in setting up $LD_LIBRARY_PATH by KDE script
mw_triad at users.sourceforge.net
Mon Mar 17 20:24:46 GMT 2008
Matthew Woehlke wrote:
> Vlad wrote:
>> The KDE script
>> that developers are encouraged to place in their ~/.bashrc file
>> contains the following line:
>> export LD_LIBRARY_PATH=$KDEDIR/lib:$QTDIR/lib:$LD_LIBRARY_PATH
>> If $LD_LIBRARY_PATH is empty before the above line is executed, then
>> the $LD_LIBRARY_PATH after that line will end in a colon (:).
>> $ echo $LD_LIBRARY_PATH
>> This causes files such as tls, i686, sse2, cmov and libc.so.6 to be
>> searched for in the current directory (.). Wouldn't this be a security
> No one else thinks so?
It appears that someone changed *just* the setting of LD_LIBRARY_PATH.
Since PATH should be clean also, I added my helper function (with the
name "prepend") and restructured the var setting. If a few people could
please review the changes that would be good.
The new way also has the advantage of keeping Qt vars, KDE vars, etc,
separate (because there is a 'prepend' per directory, rather than one
big assignment). To preserve ordering, I moved the whole Qt section up
and moved adding KDE to QT_PLUGIN_DIR into the KDE section.
Sending this e-mail does not constitute endorsement of the contents; I
may change my mind later. -- Unknown
More information about the kde-core-devel