Security risk in setting up $LD_LIBRARY_PATH by KDE script
Matthew Woehlke
mw_triad at users.sourceforge.net
Mon Mar 17 20:24:46 GMT 2008
Matthew Woehlke wrote:
> Vlad wrote:
>> The KDE script
>> (http://techbase.kde.org/index.php?title=Getting_Started/Increased_Productivity_in_KDE4_with_Scripts/.bashrc)
>>
>> that developers are encouraged to place in their ~/.bashrc file
>> contains the following line:
>>
>> export LD_LIBRARY_PATH=$KDEDIR/lib:$QTDIR/lib:$LD_LIBRARY_PATH
>>
>> If $LD_LIBRARY_PATH is empty before the above line is executed, then
>> the $LD_LIBRARY_PATH after that line will end in a colon (:).
>>
>> $ echo $LD_LIBRARY_PATH
>> /home/kde-devel/qt-copy/lib:/home/kde-devel/kde/lib:
>>
>> This causes files such as tls, i686, sse2, cmov and libc.so.6 to be
>> searched for in the current directory (.). Wouldn't this be a security
>> risk?
>
> No one else thinks so?
It appears that someone changed *just* the setting of LD_LIBRARY_PATH.
Since PATH should be clean also, I added my helper function (with the
name "prepend") and restructured the var setting. If a few people could
please review the changes that would be good.
The new way also has the advantage of keeping Qt vars, KDE vars, etc,
separate (because there is a 'prepend' per directory, rather than one
big assignment). To preserve ordering, I moved the whole Qt section up
and moved adding KDE to QT_PLUGIN_DIR into the KDE section.
--
Matthew
Sending this e-mail does not constitute endorsement of the contents; I
may change my mind later. -- Unknown
More information about the kde-core-devel
mailing list