Bugtraq mailing list archives
Re: PATH variable in zip-slackware 2.0.35
From: kay () PHREEDOM ORG (kay)
Date: Wed, 6 Jan 1999 12:43:41 +0200
On Tue, 5 Jan 1999, Karl Stevens wrote:
Have to comment here one last time:This is not true. This is output from a clean Slackware 3.6:Well, it's true on ALL of my systems (14 to date) : schon:~$ echo $PATH /usr/local/bin:/bin:/usr/bin:/usr/X11/bin:/usr/andrew/bin:/usr/openwin/bin:/usr/ games:. schon:~$ su Password: schon:/home/karl# echo $PATH /usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin
Sorry, my fault. The path is even more restricted when you do plain su to a normal user (it is the $ENV_PATH in /etc/login.defs): bash# su nobody bash$ echo $PATH /usr/local/bin:/bin:/usr/bin The example in my posting was after direct login as root. The same thing is observed when used "su - <user>" to set her environment properly: bash$ echo $PATH /usr/local/bin:/bin:/usr/bin:/usr/X11/bin:/usr/andrew/bin:/usr/openwin/bin \ :/usr/games:. bash$ su - Password: bash# echo $PATH /usr/local/bin:/bin:/usr/bin:/usr/X11/bin:/usr/andrew/bin:/usr/openwin/bin \ :/usr/games:.
A quick look through the init scripts reveals no distinguish whether they run as root, other privileged uid, or something.Another quick look reveals this: schon:/etc# grep 'ENV_SUPATH' /etc/login.defs # Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin
But this is only when su is used ?! It was about shell init scripts that are present by default.
[snip] Granted there are problems with security on a default slackware install (including ttyp's in /etc/securetty for one) I don't think this is really one of them.. either that, or I'm doing something totally different than you are during install.
Agreed. The world-readable /root directory, missing umask (so it is default to 022), /etc/rc.d/* scripts are some examples. I'm not trying to say Slackware is insecure. IMHO it is the most do-it-your-self-flavoured major Linux distribution, how it works depends entirely on you. I do not know if there is something specific to _my_ install - it's pure Slackware 3.6, downloaded from a local mirror. All problems mentioned in the original posting about zipslack were present on my (only :-) box. -- kay // kay () phreedom org
Current thread:
- Re: ACC's 'Tigris' Access Terminal server security vunerability.., (continued)
- Re: ACC's 'Tigris' Access Terminal server security vunerability.. Patrik Backstrom (Jan 03)
- Re: Comparison of THC-SCAN v2.0 with Sandstorm PhoneSweep 1.02 Oliver Xymoron (Jan 02)
- PATH variable in zip-slackware 2.0.35 Steven Alexander (Jan 02)
- Re: PATH variable in zip-slackware 2.0.35 Cacaio Torquato (Nov 20)
- Re: PATH variable in zip-slackware 2.0.35 Rattle (Jan 04)
- Re: PATH variable in zip-slackware 2.0.35 Patrick J. Volkerding (Jan 04)
- Re: PATH variable in zip-slackware 2.0.35 bandregg () REDHAT COM (Jan 05)
- Re: PATH variable in zip-slackware 2.0.35 Cacaio Torquato (Nov 20)
- Re: PATH variable in zip-slackware 2.0.35 Karl Stevens (Jan 04)
- Re: PATH variable in zip-slackware 2.0.35 kay (Jan 02)
- Re: PATH variable in zip-slackware 2.0.35 Karl Stevens (Jan 05)
- Re: PATH variable in zip-slackware 2.0.35 kay (Jan 06)
- l0phtcrack 2.5 released The Forlorn (Jan 04)
- Re: SUN almost has a clue! (automountd) Casper Dik (Jan 05)
- Re: FreeBSD 2.2.5 Security problem Eivind Eklund (Jan 03)
- Re: FreeBSD 2.2.5 Security problem User NEAL (Jan 03)