Bug 58069 - default root path for sshd is security hazard
Summary: default root path for sshd is security hazard
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: openssh   
(Show other bugs)
Version: 7.2
Hardware: i386 Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2002-01-07 19:45 UTC by Tom Manos
Modified: 2007-04-18 16:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-01-07 19:45:45 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Tom Manos 2002-01-07 19:45:40 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20010901

Description of problem:
the sshd binary in the latest openssh server, openssh-server-2.9p2-12.i386.rpm
was compiled with /usr/local/sbin as the first directory in root's path and
/usr/local/bin as the first directory in a normal user's path. Was this your
intent? Seems like a horrid security hole to me.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Just install the RPM

Actual Results:  Log in as root or as a normal user and check your $PATH

Expected Results:  I would want my $PATH to start with /bin:/usr/bin......

Additional info:

Comment 1 Nalin Dahyabhai 2002-01-18 18:00:11 UTC
This is done to match the behavior of login.  Neither /usr/local/bin nor
/usr/local/sbin are writable by users other than root, so I don't consider it a
problem.  If the PATH as set by login is different, then sshd should be modified
to match.  I'm not adverse to changing it, but the current behavior is intentional.

Note You need to log in before you can comment on or make changes to this bug.