From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113 Description of problem: The script /etc/profile.d/colorls.csh contains lines like this: test -f ~/.dircolors && set COLORS=~/.dircolors If you have an executable named "test" in your path before /usr/bin/test, it gets executed, producing bizzare results. By default, tcsh sources /etc/csh.cshrc, which sources all of /etc/profile.d/*.csh, so any attempt to run a shell runs into it. Moreover, with the default environment setting LESSOPEN=|/usr/bin/lesspipe.sh %s any attempt to run less ultimately tries to run a shell which runs afoul of the bogus test. Version-Release number of selected component (if applicable): coreutils-4.5.3-26 How reproducible: Always Steps to Reproduce: 1. Create an executable "test" containing #!/bin/sh echo ======test "$@" sleep 3 echo ======done 2. Put this file somewhere early in your path. For example, put it in "." if "." is at the start of your path (yes, I know that's naughty, but that's not the point). 3. Type "tcsh" Actual Results: ======test -e /etc/DIR_COLORS.xterm-color ======done ======test -f /home/solomon/.dircolors ======done ======test -f ~/.dircolors.xterm-color ... etc ... Expected Results: A new tcsh should have started. Additional info: The script colorls.csh should be rewritten to use "/usr/bin/test" or "[" instead of "test".
Created attachment 107715 [details] colorls.csh Please try this replacement.
This version replaces test COND && STMT with if ( COND ) STMT which fixes the original reported problem with "test". HOWEVER: 1. I can't verify whether it breaks the original purpose of this script, since I don't use the "color ls" feature. 2. While it fixes the problem with "test", it leaves a similar problem with "dircolors" and introduces a new one with "sed". If there is an executable version of either sed or dircolors earlier in your path than /bin/sed or /usr/bin/dircolors, you will see the same bizzare results. IMHO, scripts in /etc/profile.d should only use shell builtins and absolute paths. A good example is /etc/profile/lang.csh. A bad example is /etc/profile/less.csh, which uses relative pathnames for "cut" and "tr". I should point out that this problem has serious security implications. I will attach to this bug report what I consider to be the correct fixes to these files. I note that your version replaces a call to egrep with somewhat different logic using sed instead of egrep. Since I don't understand the reason for this change, my version will leave egrep alone (except for specifying an absolute path).
Created attachment 109842 [details] fixed version of /etc/profile.d/colorls.csh
Created attachment 109843 [details] fixed version of /etc/profile.d/colorls.sh
Created attachment 109844 [details] fixed version of /etc/profile.d/less.csh
Created attachment 109845 [details] fixed version of /etc/profile.d/less.sh
Not all of the above files belong to the bash package. However: Do not put "." first in your PATH.
> Not all of the above files belong to the bash package. No, none of them do. The colorls.* files are in coreutils-4.5.3-26 and the less.* files in less-378-11. They are all part of Red Hat Enterprise Linux. > However: > Do not put "." first in your PATH. Yes, as I said before, I know that one isn't supposed to do that. Nonetheless many people do and placing a stumbling block like this in files that executed by everybody without warning and before the user's own dot files is just asking for trouble. Tell me, what's wrong with the fixes I proposed?
The fixes give the illusion of security where there is none. If you put "." first in your PATH, you must use full pathnames for every command you type, and so must every shell script you ever use. The only answer is not to put "." first in your PATH.
I don't agree that an incomplete fix is worse than none, but I see your point. Thanks for responding.