On Wednesday 14 April 2004 00.07, Phil Mocek wrote:
I've found a bug that causes SuSEconfig (and, presumably, Yast2, since it uses SuSEconfig) to fail to update Postfix configuration and then incorrectly report that it has done so successfully.
More alarmingly, if any command `postconf' exists in a user's PATH when running the SuSEconfig postfix module, *that command*, (whichever one is found first; not necessarily the intended one) will be run by SuSEconfig.
I think it goes without saying that you should never have a user writable directory in your path when you run things as root. There are lots of programs being executed in all the SuSEconfig scripts without a full path, such as cat or sed or ps. If someone has dropped a binary in $HOME/bin and that is first in your path, you're cooked. I think the real bug is that SuSEconfig doesn't reset the path to something sane.