Bug 58069 - default root path for sshd is security hazard
Summary: default root path for sshd is security hazard
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: openssh
Version: 7.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-01-07 19:45 UTC by Tom Manos
Modified: 2007-04-18 16:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2002-01-07 19:45:45 UTC
Embargoed:

Attachments (Terms of Use)

Description Tom Manos 2002-01-07 19:45:40 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2.1) Gecko/20010901

Description of problem:
the sshd binary in the latest openssh server, openssh-server-2.9p2-12.i386.rpm
was compiled with /usr/local/sbin as the first directory in root's path and
/usr/local/bin as the first directory in a normal user's path. Was this your
intent? Seems like a horrid security hole to me.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Just install the RPM
2.
3.
	

Actual Results:  Log in as root or as a normal user and check your $PATH

Expected Results:  I would want my $PATH to start with /bin:/usr/bin......

Additional info:
Comment 1 Nalin Dahyabhai 2002-01-18 18:00:11 UTC 
This is done to match the behavior of login.  Neither /usr/local/bin nor
/usr/local/sbin are writable by users other than root, so I don't consider it a
problem.  If the PATH as set by login is different, then sshd should be modified
to match.  I'm not adverse to changing it, but the current behavior is intentional.
Note You need to log in before you can comment on or make changes to this bug.