Bug ID | 1127138 |
---|---|
Summary | YaST runs programs with wrong absolute path |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | All |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | YaST2 |
Assignee | yast2-maintainers@suse.de |
Reporter | mvidner@suse.com |
QA Contact | jsrain@suse.com |
Found By | --- |
Blocker | --- |
In a recent security hardening (bsc#1118291) we changed an invocation of system "mkdir #{dir}" to system "/usr/sbin/mkdir #{dir.shellescape}" which is wrong because the correct path is /usr/bin/mkdir. Finding this particular problem has prompted us to look for similar bugs, be they introduced by wrongly absolutizing program paths or by programs changing their location. I have found: yast/yast-nfs-client/src/modules/Nfs.rb:563 "/usr/sbin/rpcinfo" yast/yast-yast2/library/network/src/modules/NetworkPopup.rb:198 is /sbin/rpcinfo yast/yast-users/src/modules/UsersRoutines.pm:49 "/usr/sbin/cryptconfig" removed in 15.0, https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.0/ yast/yast-bootloader/src/lib/bootloader/boot_record_backup.rb:39 "/usr/sbin/mkdir" is /usr/bin/mkdir yast/yast-packager/src/include/checkmedia/ui.rb:542 "/bin/eject" is /usr/bin/eject yast/yast-yast2/library/general/src/scrconf/run_ifconfig.scr:49 "/sbin/ifconfig" is /usr/bin/ifconfig in net-tools-deprecated used by yast/yast-instserver/src/modules/Instserver.rb:673