http://bugzilla.suse.com/show_bug.cgi?id=1127138 Bug ID: 1127138 Summary: YaST runs programs with wrong absolute path Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: All OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 Assignee: yast2-maintainers@suse.de Reporter: mvidner@suse.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- In a recent security hardening (bsc#1118291) we changed an invocation of system "mkdir #{dir}" to system "/usr/sbin/mkdir #{dir.shellescape}" which is wrong because the correct path is /usr/bin/mkdir. Finding this particular problem has prompted us to look for similar bugs, be they introduced by wrongly absolutizing program paths or by programs changing their location. I have found: yast/yast-nfs-client/src/modules/Nfs.rb:563 "/usr/sbin/rpcinfo" yast/yast-yast2/library/network/src/modules/NetworkPopup.rb:198 is /sbin/rpcinfo yast/yast-users/src/modules/UsersRoutines.pm:49 "/usr/sbin/cryptconfig" removed in 15.0, https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.0/ yast/yast-bootloader/src/lib/bootloader/boot_record_backup.rb:39 "/usr/sbin/mkdir" is /usr/bin/mkdir yast/yast-packager/src/include/checkmedia/ui.rb:542 "/bin/eject" is /usr/bin/eject yast/yast-yast2/library/general/src/scrconf/run_ifconfig.scr:49 "/sbin/ifconfig" is /usr/bin/ifconfig in net-tools-deprecated used by yast/yast-instserver/src/modules/Instserver.rb:673 -- You are receiving this mail because: You are on the CC list for the bug.