Bug 58069 - default root path for sshd is security hazard
default root path for sshd is security hazard
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2002-01-07 14:45 EST by Tom Manos
Modified: 2007-04-18 12:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-01-07 14:45:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tom Manos 2002-01-07 14:45:40 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20010901

Description of problem:
the sshd binary in the latest openssh server, openssh-server-2.9p2-12.i386.rpm
was compiled with /usr/local/sbin as the first directory in root's path and
/usr/local/bin as the first directory in a normal user's path. Was this your
intent? Seems like a horrid security hole to me.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Just install the RPM

Actual Results:  Log in as root or as a normal user and check your $PATH

Expected Results:  I would want my $PATH to start with /bin:/usr/bin......

Additional info:
Comment 1 Nalin Dahyabhai 2002-01-18 13:00:11 EST
This is done to match the behavior of login.  Neither /usr/local/bin nor
/usr/local/sbin are writable by users other than root, so I don't consider it a
problem.  If the PATH as set by login is different, then sshd should be modified
to match.  I'm not adverse to changing it, but the current behavior is intentional.

Note You need to log in before you can comment on or make changes to this bug.