Red Hat Bugzilla – Bug 58069
default root path for sshd is security hazard
Last modified: 2007-04-18 12:38:54 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2.1) Gecko/20010901
Description of problem:
the sshd binary in the latest openssh server, openssh-server-2.9p2-12.i386.rpm
was compiled with /usr/local/sbin as the first directory in root's path and
/usr/local/bin as the first directory in a normal user's path. Was this your
intent? Seems like a horrid security hole to me.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Just install the RPM
Actual Results: Log in as root or as a normal user and check your $PATH
Expected Results: I would want my $PATH to start with /bin:/usr/bin......
This is done to match the behavior of login. Neither /usr/local/bin nor
/usr/local/sbin are writable by users other than root, so I don't consider it a
problem. If the PATH as set by login is different, then sshd should be modified
to match. I'm not adverse to changing it, but the current behavior is intentional.