Red Hat Bugzilla – Bug 3677
kdm puts :: (current directory) in PATH
Last modified: 2008-05-01 11:37:50 EDT
kdebase-1.1.1-1.i386.rpm downloaded today from
updates.redhat.com puts the current directory on PATH. It
does this only when kdm is used instead of xdm, etc.
This encourages trojan horses.
Since RH pacakged and distributed this kdebase, it would
seem that it's up to RH to fix this.
The kdebase-1.1.1-1.i386.rpm on updates.redhat.com contains a kdm
which puts . on the PATH, which encourages trojan horses.
Unable to replicate in test lab. Installed kde-1.1.1-1 from updates
and started KDM, no changes were made to PATH variable.
Verify the packages thta you have installed and reopen this bug if you
still have the problem or can replicate it.
BUT THE BUG LIVES. How to demonstrate it in RH6.1:
1. Have /usr/bin/kdm installed (it's in kdebase).
2. Rename /usr/bin/gdm so it is NOT available.
3. telinit 3; telinit 5 to get kdm running.
4. log into the kdm screen.
5. Run these commands in an xterm to observe that the
current directory is on the path.
echo "echo whinney" >horse
chmod +x horse
If the horse whinneys you are vulnerable to attacks
from trojans in the current directory. Observe that
PATH includes :: which means current directory.
KDM has been putting the current directory on
the path without regard to the user running GNOME
desktop, KDE desktop, etc. It's a KDM bug pure and
simple. Could the KDE guys really be ignorant of this
Trojan Horse invitation?
This happens only when kdm has logged you in.
Not with gdm, not with xdm, not with startx.
kdm does NOT put . in the path. It must be a local configuration error.
Then what does put the current directory on the path here?
This bug is reproducable on freshly installed, unconfigured RH6.1
so it can't be a local configuration problem. How to confirm:
1. Do CUSTOM installation of default package sets + KDE.
2. rpm -e gdm
3. Reboot, log into the kdm screen, and start an xterm.
4. echo $PATH
The "::" is the current directory on the PATH,
which makes it easier to run trojan horses.
Nothing but avoiding kdm seems to change this.
It's been in every kdm version since KDE appeared on Red Hat.
I have tried: installing all official updates, installing
the "Gotchas" fixes, logging in as root and plain user,
gnome vs kde desktop, xterm vs gnome-terminal vs konsole vs rxvt.
I'm using a Red Hat RH6.1 ISO image on CD with md5sums checked.
rpm -K confirms md5 and gpg on all rpms.
This appears to be a synergistic effect.
kdm apparently sets a path ending in :
/etc/profile then executes
This can be confirmed by placing
echo $PATH >$HOME/.debug
in /etc/profile before the aforementioned line.
fixed for next release.