Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] kdesu -c kvt
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Mon, 7 Aug 2000 02:24:24 +0200 (MEST)
  • Message-id: <Pine.LNX.4.21.0008070151280.2133-100000@xxxxxxxxxxxx>
Russell,

> When invoking a root console via kdesu, root's path is inherited from the
> user's path.
>
> PATH=/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games/bin:/usr/games:/opt
> /gnome/bin:/opt/kde/bin:.
>
> I believe, it is considered bad security to have . in root's path.
>
> Thank you
> Russell

You are right. But the problem here is that the environment is inherited
in the first place. This is inevitable since some env vars are needed for
X authentication (if you don't want to work around this problem...).

It is _your_ environment that is being passed to the application you run.
If you do not want "." to show up in the path, then change your path, or
do sth like

kdesu -c "kvt -ls" # still, it depends on where you are when you
# call it.

You might also want to use konsole instead of kvt (bugs...).

If you want to be sure that your root-environment is sane, then use

su -

to get a root shell. Omitting the "-" will pass on the environment.
Basically, this is the same as what kdesu does.


Thanks,
Roman.
--
- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| N├╝rnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -


< Previous Next >
This Thread
  • No further messages