Bug 141480
Summary: | bogus "test" in path confuses colorls.csh | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 3 | Reporter: | Marvin Solomon <admin> | ||||||||||||
Component: | coreutils | Assignee: | Tim Waugh <twaugh> | ||||||||||||
Status: | CLOSED NOTABUG | QA Contact: | |||||||||||||
Severity: | medium | Docs Contact: | |||||||||||||
Priority: | medium | ||||||||||||||
Version: | 3.0 | CC: | admin | ||||||||||||
Target Milestone: | --- | ||||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | All | ||||||||||||||
OS: | Linux | ||||||||||||||
Whiteboard: | |||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||
Clone Of: | Environment: | ||||||||||||||
Last Closed: | 2005-01-18 17:40:31 UTC | Type: | --- | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Attachments: |
|
Description
Marvin Solomon
2004-12-01 14:53:36 UTC
Created attachment 107715 [details]
colorls.csh
Please try this replacement.
This version replaces test COND && STMT with if ( COND ) STMT which fixes the original reported problem with "test". HOWEVER: 1. I can't verify whether it breaks the original purpose of this script, since I don't use the "color ls" feature. 2. While it fixes the problem with "test", it leaves a similar problem with "dircolors" and introduces a new one with "sed". If there is an executable version of either sed or dircolors earlier in your path than /bin/sed or /usr/bin/dircolors, you will see the same bizzare results. IMHO, scripts in /etc/profile.d should only use shell builtins and absolute paths. A good example is /etc/profile/lang.csh. A bad example is /etc/profile/less.csh, which uses relative pathnames for "cut" and "tr". I should point out that this problem has serious security implications. I will attach to this bug report what I consider to be the correct fixes to these files. I note that your version replaces a call to egrep with somewhat different logic using sed instead of egrep. Since I don't understand the reason for this change, my version will leave egrep alone (except for specifying an absolute path). Created attachment 109842 [details]
fixed version of /etc/profile.d/colorls.csh
Created attachment 109843 [details]
fixed version of /etc/profile.d/colorls.sh
Created attachment 109844 [details]
fixed version of /etc/profile.d/less.csh
Created attachment 109845 [details]
fixed version of /etc/profile.d/less.sh
Not all of the above files belong to the bash package. However: Do not put "." first in your PATH. > Not all of the above files belong to the bash package. No, none of them do. The colorls.* files are in coreutils-4.5.3-26 and the less.* files in less-378-11. They are all part of Red Hat Enterprise Linux. > However: > Do not put "." first in your PATH. Yes, as I said before, I know that one isn't supposed to do that. Nonetheless many people do and placing a stumbling block like this in files that executed by everybody without warning and before the user's own dot files is just asking for trouble. Tell me, what's wrong with the fixes I proposed? The fixes give the illusion of security where there is none. If you put "." first in your PATH, you must use full pathnames for every command you type, and so must every shell script you ever use. The only answer is not to put "." first in your PATH. I don't agree that an incomplete fix is worse than none, but I see your point. Thanks for responding. |