Red Hat Bugzilla – Bug 3677
kdm puts :: (current directory) in PATH
Last modified: 2008-05-01 11:37:50 EDT
kdebase-1.1.1-1.i386.rpm downloaded today from updates.redhat.com puts the current directory on PATH. It does this only when kdm is used instead of xdm, etc. This encourages trojan horses. Since RH pacakged and distributed this kdebase, it would seem that it's up to RH to fix this.
The kdebase-1.1.1-1.i386.rpm on updates.redhat.com contains a kdm which puts . on the PATH, which encourages trojan horses.
Unable to replicate in test lab. Installed kde-1.1.1-1 from updates and started KDM, no changes were made to PATH variable. Verify the packages thta you have installed and reopen this bug if you still have the problem or can replicate it.
BUT THE BUG LIVES. How to demonstrate it in RH6.1: 1. Have /usr/bin/kdm installed (it's in kdebase). 2. Rename /usr/bin/gdm so it is NOT available. 3. telinit 3; telinit 5 to get kdm running. 4. log into the kdm screen. 5. Run these commands in an xterm to observe that the current directory is on the path. echo "echo whinney" >horse chmod +x horse horse If the horse whinneys you are vulnerable to attacks from trojans in the current directory. Observe that PATH includes :: which means current directory. KDM has been putting the current directory on the path without regard to the user running GNOME desktop, KDE desktop, etc. It's a KDM bug pure and simple. Could the KDE guys really be ignorant of this Trojan Horse invitation? This happens only when kdm has logged you in. Not with gdm, not with xdm, not with startx.
kdm does NOT put . in the path. It must be a local configuration error.
Then what does put the current directory on the path here? This bug is reproducable on freshly installed, unconfigured RH6.1 so it can't be a local configuration problem. How to confirm: 1. Do CUSTOM installation of default package sets + KDE. 2. rpm -e gdm 3. Reboot, log into the kdm screen, and start an xterm. 4. echo $PATH /sbin:/usr/sbin:/bin:/usr/bin::/usr/X11R6/bin:/root/bin ^^ The "::" is the current directory on the PATH, which makes it easier to run trojan horses. Nothing but avoiding kdm seems to change this. It's been in every kdm version since KDE appeared on Red Hat. I have tried: installing all official updates, installing the "Gotchas" fixes, logging in as root and plain user, gnome vs kde desktop, xterm vs gnome-terminal vs konsole vs rxvt. I'm using a Red Hat RH6.1 ISO image on CD with md5sums checked. rpm -K confirms md5 and gpg on all rpms.
This appears to be a synergistic effect. kdm apparently sets a path ending in : /etc/profile then executes PATH="$PATH:/usr/X11R6/bin" This can be confirmed by placing echo $PATH >$HOME/.debug in /etc/profile before the aforementioned line.
fixed for next release.