Bug 174211 - cron.daily/rpm should have other name than rpm
cron.daily/rpm should have other name than rpm
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Paul Nasrat
Mike McLean
Depends On:
  Show dependency treegraph
Reported: 2005-11-25 17:40 EST by Sergio Monteiro Basto
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: rpm-4.4.2-11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-12-01 08:40:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Sergio Monteiro Basto 2005-11-25 17:40:54 EST
Description of problem:

As root, I like put, . in PATH and if I go to /etc/cron.daily and run rpm I send
machine down!

Version-Release number of selected component (if applicable):

Steps to Reproduce:
1. export PATH=.:$PATH
2. cd /etc/cron.daily 
3. rpm
Additional info:
this send machine down
2 ways to resolve this issue 
mv rpm rpm.cron 
edit rpm and change rpm to /bin/rpm 

the problem is have 2 rpm files and one call rpm again this could be avoid
Comment 1 Paul Nasrat 2005-11-26 11:51:05 EST
Having '.' in PATH as root is heavily discouraged, for reasons such as the above
(consider /tmp where all users can write for example)
Comment 2 Sergio Monteiro Basto 2005-11-30 23:09:56 EST
well the problem is not the . in PATH, the problem is having 2 executables with
the same name.
Try put in PATH /etc/cron.daily/ before /usr/bin and see what happens when run
/etc/cron.daily/rpm .
This have 2 problems /etc/cron.daily/rpm call rpm without PATH so bash have to
looking in the path for a rpm which could be himself.

Do you understand what is my point ? 
Comment 3 Paul Nasrat 2005-12-01 08:40:28 EST
The root cause of your problem is having '.' in a path causing the script to be
in your PATH.

I as a malicous user can create a +s shell add a new uid 0 user or any number of
things in /tmp/rpm or /tmp/anylikelycommand if you have . in PATH as root and
are not careful.

/etc/cron.daily should never be in any sane PATH so normal users don't care.
Comment 4 Sergio Monteiro Basto 2005-12-01 11:29:58 EST
Well , I give up ,
this discussion don't go anywhere,

but keep in mind, for me, the problem is having two executables files called rpm
one /bin/rpm and other /etc/cron.daily/rpm and
/etc/cron.daily/rpm call rpm without any PATH.
if /etc/cron.daily/rpm call /bin/rpm, I won't have this problem.  
Comment 5 Michael Jennings (KainX) 2005-12-01 11:37:32 EST
The problem is not that the /etc/cron.daily/rpm script is named rpm.  The
problem is that it doesn't give an absolute path to /bin/rpm when invoking it,
nor does it reset the PATH variable to a well-defined secure value.  This is
indeed a potential risk.

This should be reopened.
Comment 6 Paul Nasrat 2005-12-07 10:32:00 EST

Note You need to log in before you can comment on or make changes to this bug.