[yast-devel] Moving stuff from /sbin /bin /lib /lib64 to /usr/*
Hi fellow developers :) Fourteen days ago, I had an issue to fix: Installer was calling /bin/rm but there was none - it's been already moved to /usr/bin/rm [#1]. Object /bin/rm should have been linking to /usr/bin/rm. In fact, the bug has been most probably caused by a broken build or installer DVD or maybe inst-sys build. But this has shown how fragile might be a code that uses obsolete paths [#2], [#3]. So, please, next time you (or me) add a code which calls some binaries, let's make sure it uses the `currently` right path. Let's use the /usr/* whenever it's possible. Many people are asking: Should I change all the code now? The answer is: No, just when you touch it anyway, make sure you change it the right way. It's similar to replacing Builtins.* with with their Ruby fellows, e.g. Builtins.y2milestone -> log.info. Thanks in advance Lukas #1 https://github.com/yast/yast-installation/pull/217 #2 https://en.opensuse.org/openSUSE:Usr_merge #3 http://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge/ PS: Please correct me if I have written anything wrong :) -- Lukas Ocilka, Systems Management (Yast) Team Leader Cloud & Systems Management Department, SUSE Linux -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
On Mon, 07 Jul 2014 14:01:15 +0200
Lukas Ocilka
Hi fellow developers :)
Fourteen days ago, I had an issue to fix: Installer was calling /bin/rm but there was none - it's been already moved to /usr/bin/rm [#1]. Object /bin/rm should have been linking to /usr/bin/rm. In fact, the bug has been most probably caused by a broken build or installer DVD or maybe inst-sys build.
But this has shown how fragile might be a code that uses obsolete paths [#2], [#3]. So, please, next time you (or me) add a code which calls some binaries, let's make sure it uses the `currently` right path. Let's use the /usr/* whenever it's possible.
Many people are asking: Should I change all the code now? The answer is: No, just when you touch it anyway, make sure you change it the right way. It's similar to replacing Builtins.* with with their Ruby fellows, e.g. Builtins.y2milestone -> log.info.
Thanks in advance Lukas
#1 https://github.com/yast/yast-installation/pull/217 #2 https://en.opensuse.org/openSUSE:Usr_merge #3 http://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge/
PS: Please correct me if I have written anything wrong :)
I have general question and I think answer to it should be somewhere written as documented decision. Why we use absolute path to binary? I think proper set PATH in environment should be goal and use common path. Also from security point of view it is quite useless because if PATH is attacked, then also any real root action is attacked. For me it is more native to write "rm -rf /" and not "/usr/bin/rm -rf /". Josef -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
On 7.7.2014 14:07, Josef Reidinger wrote:
On Mon, 07 Jul 2014 14:01:15 +0200 Lukas Ocilka
wrote: Hi fellow developers :)
Fourteen days ago, I had an issue to fix: Installer was calling /bin/rm but there was none - it's been already moved to /usr/bin/rm [#1]. Object /bin/rm should have been linking to /usr/bin/rm. In fact, the bug has been most probably caused by a broken build or installer DVD or maybe inst-sys build.
But this has shown how fragile might be a code that uses obsolete paths [#2], [#3]. So, please, next time you (or me) add a code which calls some binaries, let's make sure it uses the `currently` right path. Let's use the /usr/* whenever it's possible.
Many people are asking: Should I change all the code now? The answer is: No, just when you touch it anyway, make sure you change it the right way. It's similar to replacing Builtins.* with with their Ruby fellows, e.g. Builtins.y2milestone -> log.info.
Thanks in advance Lukas
#1 https://github.com/yast/yast-installation/pull/217 #2 https://en.opensuse.org/openSUSE:Usr_merge #3 http://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge/
PS: Please correct me if I have written anything wrong :)
I have general question and I think answer to it should be somewhere written as documented decision.
Why we use absolute path to binary? I think proper set PATH in environment should be goal and use common path. Also from security point of view it is quite useless because if PATH is attacked, then also any real root action is attacked.
For me it is more native to write "rm -rf /" and not "/usr/bin/rm -rf /".
Sure, I myself also prefer the shorter way, but I think it was because of security. Let's ask our security expert if this is really the case, or whether it has changed meanwhile. Thomas, please, have a look. Thanks in advance Lukas -- Lukas Ocilka, Systems Management (Yast) Team Leader Cloud & Systems Management Department, SUSE Linux -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
On Mon, Jul 07, 2014 at 02:11:48PM +0200, Lukas Ocilka wrote:
On 7.7.2014 14:07, Josef Reidinger wrote:
I have general question and I think answer to it should be somewhere written as documented decision.
Why we use absolute path to binary? I think proper set PATH in environment should be goal and use common path. Also from security point of view it is quite useless because if PATH is attacked, then also any real root action is attacked.
Sure, I myself also prefer the shorter way, but I think it was because of security. Let's ask our security expert if this is really the case, or whether it has changed meanwhile.
Bug https://bugzilla.novell.com/show_bug.cgi?id=794084 mentions
some reasons.
Regards,
Arvin
--
Arvin Schnell,
On Mon, 7 Jul 2014 14:17:40 +0200
Arvin Schnell
On Mon, Jul 07, 2014 at 02:11:48PM +0200, Lukas Ocilka wrote:
On 7.7.2014 14:07, Josef Reidinger wrote:
I have general question and I think answer to it should be somewhere written as documented decision.
Why we use absolute path to binary? I think proper set PATH in environment should be goal and use common path. Also from security point of view it is quite useless because if PATH is attacked, then also any real root action is attacked.
Sure, I myself also prefer the shorter way, but I think it was because of security. Let's ask our security expert if this is really the case, or whether it has changed meanwhile.
Bug https://bugzilla.novell.com/show_bug.cgi?id=794084 mentions some reasons.
Regards, Arvin
I see some reasons, but I worry that we need to proper fix PATH otherwise 1) any call that do not have absolute path is security problem ( I know a lot of places where we call e.g. sed without absolute path, so simple fake sed in some location can be used to get root permissions ) 2) if some module need path that is not standard, then it is up to module to properly set it or use absolute path 3) we are affected by changes of binary as showed above Josef -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
On Mon, Jul 07, 2014 at 02:23:36PM +0200, Josef Reidinger wrote:
On Mon, 7 Jul 2014 14:17:40 +0200 Arvin Schnell
wrote: On Mon, Jul 07, 2014 at 02:11:48PM +0200, Lukas Ocilka wrote:
On 7.7.2014 14:07, Josef Reidinger wrote:
I have general question and I think answer to it should be somewhere written as documented decision.
Why we use absolute path to binary? I think proper set PATH in environment should be goal and use common path. Also from security point of view it is quite useless because if PATH is attacked, then also any real root action is attacked.
Sure, I myself also prefer the shorter way, but I think it was because of security. Let's ask our security expert if this is really the case, or whether it has changed meanwhile.
Bug https://bugzilla.novell.com/show_bug.cgi?id=794084 mentions some reasons.
Regards, Arvin
I see some reasons, but I worry that we need to proper fix PATH
But how, esp. if we want to make parts of YaST available as libraries (modules/gems)?
From my point of a library should work with any PATH variable.
Regards,
Arvin
--
Arvin Schnell,
On Mon, 7 Jul 2014 14:52:07 +0200
Arvin Schnell
On Mon, Jul 07, 2014 at 02:23:36PM +0200, Josef Reidinger wrote:
On Mon, 7 Jul 2014 14:17:40 +0200 Arvin Schnell
wrote: On Mon, Jul 07, 2014 at 02:11:48PM +0200, Lukas Ocilka wrote:
On 7.7.2014 14:07, Josef Reidinger wrote:
I have general question and I think answer to it should be somewhere written as documented decision.
Why we use absolute path to binary? I think proper set PATH in environment should be goal and use common path. Also from security point of view it is quite useless because if PATH is attacked, then also any real root action is attacked.
Sure, I myself also prefer the shorter way, but I think it was because of security. Let's ask our security expert if this is really the case, or whether it has changed meanwhile.
Bug https://bugzilla.novell.com/show_bug.cgi?id=794084 mentions some reasons.
Regards, Arvin
I see some reasons, but I worry that we need to proper fix PATH
But how, esp. if we want to make parts of YaST available as libraries (modules/gems)?
From my point of a library should work with any PATH variable.
Regards, Arvin
On other hand absolute path can make troubles to use library/gem on non-suse systems or even on older suse systems, which is wrong from my POV. I think it is reasonable requirement for library or gem, that it need working path to its work. So I think resolution can be use PATH for common binaries and for specific binaries use absolute path. Josef -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
On Mon, Jul 07, 2014 at 03:01:40PM +0200, Josef Reidinger wrote:
On other hand absolute path can make troubles to use library/gem on non-suse systems or even on older suse systems, which is wrong from my POV.
Yes, that's why I dislike all this moving of binaries.
So I think resolution can be use PATH for common binaries and for specific binaries use absolute path.
Paving the path to security issues? I suppose developers just use
a library and expect it to be safe independent of PATH. For
libstorage that's my objective.
Regards,
Arvin
--
Arvin Schnell,
On Mon, 7 Jul 2014 15:22:24 +0200
Arvin Schnell
On Mon, Jul 07, 2014 at 03:01:40PM +0200, Josef Reidinger wrote:
On other hand absolute path can make troubles to use library/gem on non-suse systems or even on older suse systems, which is wrong from my POV.
Yes, that's why I dislike all this moving of binaries.
I agree, I also do not see benefit of this step.
So I think resolution can be use PATH for common binaries and for specific binaries use absolute path.
Paving the path to security issues? I suppose developers just use a library and expect it to be safe independent of PATH. For libstorage that's my objective.
Maybe we can look around how other tools do this task and collect possible ideas how to solve it? Josef
Regards, Arvin
-- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
On Mon, Jul 07, 2014 at 03:30:52PM +0200, Josef Reidinger wrote:
On Mon, 7 Jul 2014 15:22:24 +0200 Arvin Schnell
wrote: On Mon, Jul 07, 2014 at 03:01:40PM +0200, Josef Reidinger wrote:
On other hand absolute path can make troubles to use library/gem on non-suse systems or even on older suse systems, which is wrong from my POV.
Yes, that's why I dislike all this moving of binaries.
I agree, I also do not see benefit of this step.
So I think resolution can be use PATH for common binaries and for specific binaries use absolute path.
Paving the path to security issues? I suppose developers just use a library and expect it to be safe independent of PATH. For libstorage that's my objective.
Maybe we can look around how other tools do this task and collect possible ideas how to solve it?
Sure, I just grepped for "bin/" in my upstream git repos
directory and found e.g. (more than 200):
./hwinfo/src/hd/block.c: hd_data->lsscsi = read_file("|/usr/bin/lsscsi -t 2>/dev/null", 0, 0);
./hwinfo/src/hd/net.c: str_printf(&buf, 0, "|/usr/sbin/ethtool -e %s 2>/dev/null", hd->unix_dev_name);
./linux-pam/modules/pam_xauth/pam_xauth.c: "/usr/bin/X11/xauth"
./linux-pam/modules/pam_namespace/pam_namespace.c: if (execle("/bin/rm", "/bin/rm", "-rf", pptr->instance_prefix, NULL, envp) < 0)
./glibc/stdio-common/test-popen.c: output = popen("/bin/cat", "m");
./xfsprogs/libdisk/dm.c: else if (!access("/sbin/dmsetup", R_OK|X_OK))
./libyui/libyui-gtk/src/YGDialog.cc: ret = system ("/usr/bin/xterm &");
./libzypp/zypp/KeyRing.cc: #define GPG_BINARY "/usr/bin/gpg2"
./libzypp/tests/zypp/PluginFrame_test.cc: PluginScript scr( "/bin/cat" );
And in all systemd service files I couldn't find a single Exec
statement without a full path.
Regards,
Arvin
--
Arvin Schnell,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi. Am 07.07.2014 14:11, schrieb Lukas Ocilka:
On 7.7.2014 14:07, Josef Reidinger wrote:
On Mon, 07 Jul 2014 14:01:15 +0200 Lukas Ocilka
wrote: [...]
I have general question and I think answer to it should be somewhere written as documented decision.
Why we use absolute path to binary? I think proper set PATH in environment should be goal and use common path. Also from security point of view it is quite useless because if PATH is attacked, then also any real root action is attacked.
For me it is more native to write "rm -rf /" and not "/usr/bin/rm -rf /".
Sure, I myself also prefer the shorter way, but I think it was because of security. Let's ask our security expert if this is really the case, or whether it has changed meanwhile.
I would suggest to set PATH to a safe value (/bin, /sbin, /usr/bin,
/usr/sbin, maybe more) in your code and use the short form of the
command for your convenience. This also increase the stability of your
code.
Attacking code via PATH is only interesting in scenarios where a
normal user can execute a privileged binary (setuid, for example) and
this privileged code relies on PATH or other environment variables.
If you use sudo/su the PATH should be ok. The same for calling it
directly as root.
HTH
Thomas
- --
Thomas Biege
Hello Thomas, On Jul 8 11:55 Thomas Biege wrote (excerpt):
I would suggest to set PATH to a safe value (/bin, /sbin, /usr/bin, /usr/sbin, maybe more) in your code and use the short form of the command for your convenience.
I wonder if the ordering of the directories in PATH is of importance? In https://bugzilla.novell.com/show_bug.cgi?id=794084#c11 you suggested to set PATH to /bin:/usr/bin:/sbin:/usr/sbin root has after log in /sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin:... In bash scripts and when running commands in yast2-printer I use --------------------------------------------------------------------- # Make sure to have a clean environment: export PATH="/sbin:/usr/sbin:/usr/bin:/bin" export LC_ALL="POSIX" export LANG="POSIX" umask 022 --------------------------------------------------------------------- I would appreciate an authoritative "recommended default way" how to set up a reasonably clean environment before calling programs as root. Is perhaps calling "su - root" a reasonable way? Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 08.07.2014 12:35, schrieb Johannes Meixner:
Hello Thomas,
On Jul 8 11:55 Thomas Biege wrote (excerpt):
I would suggest to set PATH to a safe value (/bin, /sbin, /usr/bin, /usr/sbin, maybe more) in your code and use the short form of the command for your convenience.
I wonder if the ordering of the directories in PATH is of importance?
In https://bugzilla.novell.com/show_bug.cgi?id=794084#c11 you suggested to set PATH to /bin:/usr/bin:/sbin:/usr/sbin
root has after log in /sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin:...
This
one looks good and we use it already.
In bash scripts and when running commands in yast2-printer I use ---------------------------------------------------------------------
# Make sure to have a clean environment:
export PATH="/sbin:/usr/sbin:/usr/bin:/bin" export LC_ALL="POSIX" export LANG="POSIX" umask 022 ---------------------------------------------------------------------
I would appreciate an authoritative "recommended default way" how to set up a reasonably clean environment before calling programs as root.
Is perhaps calling "su - root" a reasonable way?
For executing "rm"? Bye, Thomas
Kind Regards Johannes Meixner
- --
Thomas Biege
Hello, On Jul 8 16:18 Thomas Biege wrote:
Am 08.07.2014 12:35, schrieb Johannes Meixner: ...
I would appreciate an authoritative "recommended default way" how to set up a reasonably clean environment before calling programs as root.
Is perhaps calling "su - root" a reasonable way?
For executing "rm"?
I do not understand what you mean. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
Am 09.07.14 11:52, schrieb Johannes Meixner:
Hello,
On Jul 8 16:18 Thomas Biege wrote:
Am 08.07.2014 12:35, schrieb Johannes Meixner: ...
I would appreciate an authoritative "recommended default way" how to set up a reasonably clean environment before calling programs as root.
Is perhaps calling "su - root" a reasonable way?
For executing "rm"?
I do not understand what you mean.
I am not sure what exactly you want to solve by calling "su - root". I think I just miss the context. Bye, Thomas
Kind Regards Johannes Meixner
--
Thomas Biege
Hello, On Jul 9 11:56 Thomas Biege wrote (excerpt):
Am 08.07.2014 12:35, schrieb Johannes Meixner: ...
I would appreciate an authoritative "recommended default way" how to set up a reasonably clean environment before calling programs as root.
Is perhaps calling "su - root" a reasonable way?
I am not sure what exactly you want to solve by calling "su - root". I think I just miss the context.
I think the final goal is to "do something appropriate" in YaST before it calls external programs to avoid "unexpected issues". I am afraid, but I cannot describe it in more exact words. I think what might be basically wanted is to run external programs by YaST in the same way as if the user root would have called them manually. Because "man su" reads ------------------------------------------------------------------------ -, -l, --login Starts the shell as a login shell with an environment similar to a real login: o clears all the environment variables except TERM o initializes the environment variables HOME, SHELL, USER, LOGNAME, and PATH o changes to the target user's home directory o sets argv[0] of the shell to '-' in order to make the shell a login shell ------------------------------------------------------------------------ I asked if perhaps calling "su - root" in YaST before it calls other external programs is a reasonable way to run them in the same way as if the user root would have called them manually. On the other hand I don't know if it is really wise to run external programs by YaST in the same way as if the user root would have called them manually because the user root in an arbitrary real system "out there" may have whatever unexpected settings like strange PATH or strange locale or whatever else. Therefore it is perhaps better to explicitly set PATH, locale, and whatever else to sane values as I attempt it currently via --------------------------------------------------------------------- # Make sure to have a clean environment: export PATH="/sbin:/usr/sbin:/usr/bin:/bin" export LC_ALL="POSIX" export LANG="POSIX" umask 022 --------------------------------------------------------------------- Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Johannes, Am 09.07.2014 16:31, schrieb Johannes Meixner:
Hello,
On Jul 9 11:56 Thomas Biege wrote (excerpt):
Am 08.07.2014 12:35, schrieb Johannes Meixner: ...
I would appreciate an authoritative "recommended default way" how to set up a reasonably clean environment before calling programs as root.
Is perhaps calling "su - root" a reasonable way?
I am not sure what exactly you want to solve by calling "su - root". I think I just miss the context.
I think the final goal is to "do something appropriate" in YaST before it calls external programs to avoid "unexpected issues".
ah, I got it now. I would not use "su" but explicitly set the PATH as you mentioned below because you will not rely on "su" then, reduce the process overhead, and have a defined state of the environ**. HTH Thomas
I am afraid, but I cannot describe it in more exact words.
I think what might be basically wanted is to run external programs by YaST in the same way as if the user root would have called them manually.
Because "man su" reads ------------------------------------------------------------------------
- -, -l, --login
Starts the shell as a login shell with an environment similar to a real login: o clears all the environment variables except TERM o initializes the environment variables HOME, SHELL, USER, LOGNAME, and PATH o changes to the target user's home directory o sets argv[0] of the shell to '-' in order to make the shell a login shell ------------------------------------------------------------------------
I asked if perhaps calling "su - root" in YaST before it calls
other external programs is a reasonable way to run them in the same way as if the user root would have called them manually.
On the other hand I don't know if it is really wise to run external programs by YaST in the same way as if the user root would have called them manually because the user root in an arbitrary real system "out there" may have whatever unexpected settings like strange PATH or strange locale or whatever else.
Therefore it is perhaps better to explicitly set PATH, locale, and whatever else to sane values as I attempt it currently via ---------------------------------------------------------------------
# Make sure to have a clean environment:
export PATH="/sbin:/usr/sbin:/usr/bin:/bin" export LC_ALL="POSIX" export LANG="POSIX" umask 022 ---------------------------------------------------------------------
Kind Regards Johannes Meixner
- --
Thomas Biege
participants (5)
-
Arvin Schnell
-
Johannes Meixner
-
Josef Reidinger
-
Lukas Ocilka
-
Thomas Biege