Jim Knoble
1999-Dec-26 07:59 UTC
ALERT: potential for `.' in _PATH_STDPATH [OpenSSH-1.2.1pre21]
After the recent discussion here about some OpenSSH sshd's having difficulty locating scp in /usr/local/bin/, i took a look at openssh-1.2.1pre17's config.h.in and found what i believe is a potential minor security problem: the _PATH_STDPATH defined there ends in `:', effectively putting a `.' (current directory) at the end of the path and thus opening ssh sessions that use that default PATH to the possibility of trojan attacks. This is *only* a problem if _PATH_STDPATH is not defined in your system includes (usually in /usr/include/). If your system includes do define _PATH_STDPATH (for example, in <paths.h>), this problem does not affect you. (That is no guarantee, however, that your _PATH_STDPATH is completely secure---check it to make sure it is.) Since the `current directory' element is preceded by `/usr/bin:/bin:/usr/sbin:/sbin', the possibility for such an attack succeeding is less than if the current directory were at the beginning of the PATH, but it's still Not A Good Thing(tm). The attached patch fixes the potential problem. It's necessary to re-./configure and recompile openssh after patching. -- jim knoble jmknoble at pobox.com -------------- next part -------------- --- ./config.h.in.orig-pathdot Sat Dec 25 22:25:22 1999 +++ ./config.h.in Sun Dec 26 02:06:52 1999 @@ -371,7 +371,7 @@ #endif #ifndef _PATH_STDPATH -# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin:" +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" #endif #ifndef _PATH_DEVNULL