Bug 223963 - .bash_logout: use full path for 'clear'
Summary: .bash_logout: use full path for 'clear'
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: bash   
(Show other bugs)
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Tomas Janousek
QA Contact: Chris Ward
URL:
Whiteboard:
Keywords: Reopened
Depends On: 380421
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-23 11:26 UTC by Tim Waugh
Modified: 2008-05-21 15:35 UTC (History)
0 users

Fixed In Version: RHBA-2008-0380
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 15:35:58 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0380 normal SHIPPED_LIVE bash bug fix update 2008-05-20 16:48:21 UTC

Description Tim Waugh 2007-01-23 11:26:56 UTC
+++ This bug was initially created as a clone of Bug #223960 +++

Description of problem:
/etc/skel/.bash_logout invokes "clear"

i.e. "clear" is being searched on $PATH.
This breaks if users screw up their $PATH. 

IMO, this should be /usr/bin/clear instead.

Version-Release number of selected component (if applicable):
bash-3.1-16.1

How reproducible:
Deterministic.

Steps to Reproduce:
1. copy /etc/skel/.bash_logout to $(HOME):
cp /etc/skel/.bash_logout ~

2. Break your $PATH, e.g.
export PATH=/foo/bar:PATH
[A classical typo users trip into when modifying $PATH]

3. logout:
exit
  
Actual results:
> exit
logout
-bash: clear: command not found

Expected results:
Function.

Additional info:
IMO, this also is a security leak. "clear" is a too common name to search for on
$PATH.

Comment 1 RHEL Product and Program Management 2007-01-23 11:40:35 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 2 Florian La Roche 2007-01-24 11:32:34 UTC
Moving onto the 5.1 list.

regards,

Florian La Roche


Comment 3 Daniel Riek 2007-03-15 18:48:57 UTC
Clearing left-over pm_ack

Comment 4 Lubomir Kundrak 2007-03-28 11:40:11 UTC
I disagree with that this is a security issue. clear is _not_ guaranteed to
clear a scrollback buffer, nor does it do so on Linux console, nor are terminals
required to be able to do it. Removing Security keyword.

Comment 5 RHEL Product and Program Management 2007-06-05 20:40:33 UTC
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Since this
bugzilla is in a component that is not approved for the current
release, it has been closed with resolution deferred.  You may
reopen this bugzilla for consideration in the next release.

Comment 6 Tim Waugh 2007-06-06 08:35:28 UTC
Proposing for RHEL-5.2.0.

Comment 7 RHEL Product and Program Management 2007-10-16 04:05:46 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 12 errata-xmlrpc 2008-05-21 15:35:58 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0380.html



Note You need to log in before you can comment on or make changes to this bug.