Bug 3677 - kdm puts :: (current directory) in PATH
Summary: kdm puts :: (current directory) in PATH
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: kdebase
Version: 6.1
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Preston Brown
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-06-23 16:49 UTC by Jan Carlson
Modified: 2008-05-01 15:37 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2000-01-24 20:47:53 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jan Carlson 1999-06-23 16:49:31 UTC 
kdebase-1.1.1-1.i386.rpm downloaded today from
updates.redhat.com puts the current directory on PATH.  It
does this only when kdm is used instead of xdm, etc.

This encourages trojan horses.

Since RH pacakged and distributed this kdebase, it would
seem that it's up to RH to fix this.
Comment 1 Jan Carlson 1999-06-23 16:52:59 UTC 
The kdebase-1.1.1-1.i386.rpm on updates.redhat.com contains a kdm
which puts . on the PATH, which encourages trojan horses.
Comment 2 Jay Turner 1999-06-23 17:24:59 UTC 
Unable to replicate in test lab.  Installed kde-1.1.1-1 from updates
and started KDM, no changes were made to PATH variable.

Verify the packages thta you have installed and reopen this bug if you
still have the problem or can replicate it.
Comment 3 Jan Carlson 1999-12-23 02:38:59 UTC 
BUT THE BUG LIVES.  How to demonstrate it in RH6.1:

1. Have /usr/bin/kdm installed (it's in kdebase).

2. Rename /usr/bin/gdm so it is NOT available.

3. telinit 3; telinit 5    to get kdm running.

4. log into the kdm screen.

5. Run these commands in an xterm to observe that the
current directory is on the path.

echo "echo whinney" >horse
chmod +x horse
horse

If the horse whinneys you are vulnerable to attacks
from trojans in the current directory.  Observe that
PATH includes :: which means current directory.

KDM has been putting the current directory on
the path without regard to the user running GNOME
desktop, KDE desktop, etc.  It's a KDM bug pure and
simple.  Could the KDE guys really be ignorant of this
Trojan Horse invitation?

This happens only when kdm has logged you in.
Not with gdm, not with xdm, not with startx.
Comment 4 Preston Brown 2000-01-13 22:32:59 UTC 
kdm does NOT put . in the path.  It must be a local configuration error.
Comment 5 Jan Carlson 2000-01-14 03:42:59 UTC 
Then what does put the current directory on the path here?

This bug is reproducable on freshly installed, unconfigured RH6.1
so it can't be a local configuration problem. How to confirm:

1. Do CUSTOM installation of default package sets + KDE.
2. rpm -e gdm
3. Reboot, log into the kdm screen, and start an xterm.
4. echo $PATH
   /sbin:/usr/sbin:/bin:/usr/bin::/usr/X11R6/bin:/root/bin

                                ^^
The "::" is the current directory on the PATH,
which makes it easier to run trojan horses.

Nothing but avoiding kdm seems to change this.
It's been in every kdm version since KDE appeared on Red Hat.
I have tried:  installing all official updates, installing
the "Gotchas" fixes, logging in as root and plain user,
gnome vs kde desktop, xterm vs gnome-terminal vs konsole vs rxvt.

I'm using a Red Hat RH6.1 ISO image on CD with md5sums checked.
rpm -K  confirms md5 and gpg on all rpms.
Comment 6 Simon Hill 2000-01-23 01:26:59 UTC 
This appears to be a synergistic effect.

kdm apparently sets a path ending in :

/etc/profile then executes

PATH="$PATH:/usr/X11R6/bin"

This can be confirmed by placing

echo $PATH >$HOME/.debug

in /etc/profile before the aforementioned line.
Comment 7 Preston Brown 2000-01-24 20:47:59 UTC 
fixed for next release.
Note You need to log in before you can comment on or make changes to this bug.