Re: PATH variable in zip-slackware 2.0.35

From: kay (kayat_private)
Date: Wed Jan 06 1999 - 02:43:41 PST

Next message: aleph1at_private: "Re: bug: l0phcrack 2.5 - bad permisions on temp files,"

Previous message: spamhaterat_private: "Checking for most recent Solaris Security Patches"
Maybe in reply to: Steven Alexander: "PATH variable in zip-slackware 2.0.35"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 5 Jan 1999, Karl Stevens wrote:

> Have to comment here one last time:
> > This is not true. This is output from a clean Slackware 3.6:
> Well, it's true on ALL of my systems (14 to date) :
>
> schon:~$ echo $PATH
>
> /usr/local/bin:/bin:/usr/bin:/usr/X11/bin:/usr/andrew/bin:/usr/openwin/bin:/usr/
> games:.
> schon:~$ su
> Password:
> schon:/home/karl# echo $PATH
>
> /usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin

Sorry, my fault. The path is even more restricted when you do plain su to
a normal user (it is the $ENV_PATH in /etc/login.defs):

bash# su nobody
bash$ echo $PATH
/usr/local/bin:/bin:/usr/bin

The example in my posting was after direct login as root. The same thing
is observed when used "su - <user>" to set her environment properly:

bash$ echo $PATH
/usr/local/bin:/bin:/usr/bin:/usr/X11/bin:/usr/andrew/bin:/usr/openwin/bin \
:/usr/games:.
bash$ su -
Password:
bash# echo $PATH
/usr/local/bin:/bin:/usr/bin:/usr/X11/bin:/usr/andrew/bin:/usr/openwin/bin \
:/usr/games:.

> > A quick look through the init scripts reveals no distinguish whether they
> > run as root, other privileged uid, or something.
> Another quick look reveals this:
>
> schon:/etc# grep 'ENV_SUPATH' /etc/login.defs
> # Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
>
> ENV_SUPATH
> PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin

But this is only when su is used ?! It was about shell init scripts that
are present by default.

> [snip]
> Granted there are problems with security on a default slackware install
> (including ttyp's in /etc/securetty for one) I don't think this is
> really one of them.. either that, or I'm doing something totally different
> than you are during install.

Agreed. The world-readable /root directory, missing umask (so it is
default to 022), /etc/rc.d/* scripts are some examples. I'm not trying to
say Slackware is insecure. IMHO it is the most do-it-your-self-flavoured
major Linux distribution, how it works depends entirely on you.
I do not know if there is something specific to _my_ install - it's pure
Slackware 3.6, downloaded from a local mirror. All problems mentioned
in the original posting about zipslack were present on my (only :-) box.

--
kay                                                       // kayat_private

Next message: aleph1at_private: "Re: bug: l0phcrack 2.5 - bad permisions on temp files,"
Previous message: spamhaterat_private: "Checking for most recent Solaris Security Patches"
Maybe in reply to: Steven Alexander: "PATH variable in zip-slackware 2.0.35"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:36 PDT