On Tue, 5 Jan 1999, Karl Stevens wrote: > Have to comment here one last time: > > This is not true. This is output from a clean Slackware 3.6: > Well, it's true on ALL of my systems (14 to date) : > > schon:~$ echo $PATH > > /usr/local/bin:/bin:/usr/bin:/usr/X11/bin:/usr/andrew/bin:/usr/openwin/bin:/usr/ > games:. > schon:~$ su > Password: > schon:/home/karl# echo $PATH > > /usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin Sorry, my fault. The path is even more restricted when you do plain su to a normal user (it is the $ENV_PATH in /etc/login.defs): bash# su nobody bash$ echo $PATH /usr/local/bin:/bin:/usr/bin The example in my posting was after direct login as root. The same thing is observed when used "su - <user>" to set her environment properly: bash$ echo $PATH /usr/local/bin:/bin:/usr/bin:/usr/X11/bin:/usr/andrew/bin:/usr/openwin/bin \ :/usr/games:. bash$ su - Password: bash# echo $PATH /usr/local/bin:/bin:/usr/bin:/usr/X11/bin:/usr/andrew/bin:/usr/openwin/bin \ :/usr/games:. > > A quick look through the init scripts reveals no distinguish whether they > > run as root, other privileged uid, or something. > Another quick look reveals this: > > schon:/etc# grep 'ENV_SUPATH' /etc/login.defs > # Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. > > ENV_SUPATH > PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin But this is only when su is used ?! It was about shell init scripts that are present by default. > [snip] > Granted there are problems with security on a default slackware install > (including ttyp's in /etc/securetty for one) I don't think this is > really one of them.. either that, or I'm doing something totally different > than you are during install. Agreed. The world-readable /root directory, missing umask (so it is default to 022), /etc/rc.d/* scripts are some examples. I'm not trying to say Slackware is insecure. IMHO it is the most do-it-your-self-flavoured major Linux distribution, how it works depends entirely on you. I do not know if there is something specific to _my_ install - it's pure Slackware 3.6, downloaded from a local mirror. All problems mentioned in the original posting about zipslack were present on my (only :-) box. -- kay // kayat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:36 PDT