Description of problem: The sh-utils-1.16-paths.patch applied to the coreutils RPM incorrectly sets the compiled-in PATH used by 'su -' when it starts a login shell. It conflicts with both the LSB specification of su(1) and the actual behavior of login(1) [which is set by lib/pathnames.h in the util-linux package]. The sbin and bin versions of directories are set in opposite orders. The /bin/su program in coreutils sets default PATH to (regular user): /bin:/usr/bin:/usr/local/bin:/usr/bin/X11 (root): /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11 The LSB 1.3 says that the default PATH set by 'su -' before /etc/profile is executed should be (regular user): /bin:/usr/bin (root): /sbin:/bin:/usr/sbin:/usr/bin The /bin/login program from util-linux uses a default PATH almost identical to the /bin/su LSB specification: (regular user): /usr/local/bin:/bin:/usr/bin (root): /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin [The man page for login(1) which discusses the default PATH is incorrect; see bug #102566.] The result is that when starting up a default login shell, PATH is set differently by /bin/login and /bin/su. The order of sbin and bin directories in the resulting PATH is different, which has contributed to at least one bug where a program name (up2date) existed in both /usr/bin and /usr/sbin [#102331]. Version-Release number of selected component (if applicable): coreutils-4.5.3-24 (/bin/su) util-linux-2.11y-22 (/bin/login) setup-2.5.25-1 (bash startup scripts) This problem also affects RHEL 2.1 AS and RHL 9. Steps to Reproduce: 1. Login as root through a virtual console and 'echo $PATH'. 2. Login as a regular user through a virtual console, 'su -', and 'echo $PATH'. Suggested fix: A replacement patch for sh-utils-1.16-paths.patch from coreutils is attached, which changes the default PATH to match the behavior of lib/pathnames.h from util-linux-2.11y and fixes the immediate problem. [This patch doesn't strictly follow the LSB. According to the LSB, /usr/local paths shouldn't be set by default by /bin/su, which this patch does. That should probably be done in /etc/profile, but that would require changes to the setup package, and possibly util-linux as well for consistency.]
Created attachment 93702 [details] Replacement for existing sh-utils-1.16-paths.patch.
An additional LSB conformance violation is that the coreutils /bin/su does not honor the ENV_PATH and ENV_SUPATH definitions in /etc/login.defs. Of course, this is because the LSB assumes that the version of su that is in the shadow-utils pristine source (which we don't package) is being used instead of the coreutils version of su.
Closing that forgotten modified bugzilla as ERRATA RHBA-2005:544 - duplicate bug #158741 was fixed in that update. Feel free to reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-544.html