https://bugzilla.novell.com/show_bug.cgi?id=794084 https://bugzilla.novell.com/show_bug.cgi?id=794084#c1 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |jsrain@suse.com, | |jsuchome@suse.com, | |locilka@suse.com InfoProvider| |mvidner@suse.com --- Comment #1 from Jiří Suchomel 2012-12-12 13:29:16 UTC --- (In reply to comment #0)

I'm sure there are other places where binaries are called with absolute paths, please fix such places as well.

Plenty, likely most of calls done by YaST via SCR (.target.bash_*) use absolute paths. AFAIK target agent warns against non-absolute paths. Martin, you may be to one to know the original reason, as well as the current necessity of it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=794084 https://bugzilla.novell.com/show_bug.cgi?id=794084#c3 --- Comment #3 from Jiří Suchomel 2012-12-13 10:31:02 UTC --- Going though whole ycp code, replace the calls, submit new packages might be long task, specially when we do not see a reward. I suggest to replace the call path only when we already touch some yast2 package for a different reason. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=794084 https://bugzilla.novell.com/show_bug.cgi?id=794084#c5 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |security-team@suse.de --- Comment #5 from Jiří Suchomel 2012-12-13 11:17:27 UTC --- What is the security team stance? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=794084 https://bugzilla.novell.com/show_bug.cgi?id=794084#c7 --- Comment #7 from Olaf Hering 2012-12-13 15:05:31 CET --- If a $tool (like yast) needs certain elements in PATH it has to append or prepend the required elements. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=794084 https://bugzilla.novell.com/show_bug.cgi?id=794084#c9 --- Comment #9 from Olaf Hering 2012-12-13 17:18:22 CET --- (In reply to comment #8)

(In reply to comment #7)

...

If a $tool (like yast) needs certain elements in PATH it has to append or prepend the required elements.

There's nothing like $tool like YaST. YaST is a set of tools using many different binaries from different paths.

YaST runs as root, so, for security reasons, binaries are called using their full path. We'll wait for the security team to evaluate the current status and/or propose better solution.

If thats a real concern, why not force PATH to have a fixed value with needed paths, at yast startup? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=794084 https://bugzilla.novell.com/show_bug.cgi?id=794084#c11 Thomas Biege changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|security-team@suse.de | --- Comment #11 from Thomas Biege 2012-12-14 15:42:29 CET --- (In reply to comment #5)

What is the security team stance?

- used a safe set of $PATH /bin:/usr/bin:/sbin:/usr/sbin - do not use the $PATH inherited from the caller (problematic with setuid, and AFAIR su/sudo) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=794084 https://bugzilla.novell.com/show_bug.cgi?id=794084#c13 Arvin Schnell changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|aschnell@suse.com | --- Comment #13 from Arvin Schnell 2013-01-02 10:15:22 UTC --- Due to the many entry points YaST has this is difficult (as Lukas already mentioned) if you want the change to also effect e.g. startup scripts. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=794084 https://bugzilla.novell.com/show_bug.cgi?id=794084#c15 Arvin Schnell changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #15 from Arvin Schnell 2013-01-04 15:39:38 UTC --- Created pull request: https://github.com/yast/yast-yast2/pull/35 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=794084 https://bugzilla.novell.com/show_bug.cgi?id=794084#c17 --- Comment #17 from Bernhard Wiedemann 2013-01-08 14:00:42 CET --- This is an autogenerated message for OBS integration: This bug (794084) was mentioned in https://build.opensuse.org/request/show/147522 Factory / yast2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.