openssh unix dev - Dec 1999 - ALERT: potential for `.' in _PATH_STDPATH [OpenSSH-1.2.1pre21]

After the recent discussion here about some OpenSSH sshd's having
difficulty locating scp in /usr/local/bin/, i took a look at
openssh-1.2.1pre17's config.h.in and found what i believe is a
potential minor security problem: the _PATH_STDPATH defined there ends
in `:', effectively putting a `.' (current directory) at the end of the
path and thus opening ssh sessions that use that default PATH to the
possibility of trojan attacks.

This is *only* a problem if _PATH_STDPATH is not defined in your system
includes (usually in /usr/include/).  If your system includes do define
_PATH_STDPATH (for example, in <paths.h>), this problem does not affect
you.  (That is no guarantee, however, that your _PATH_STDPATH is
completely secure---check it to make sure it is.)

Since the `current directory' element is preceded by
`/usr/bin:/bin:/usr/sbin:/sbin', the possibility for such an attack
succeeding is less than if the current directory were at the beginning
of the PATH, but it's still Not A Good Thing(tm).

The attached patch fixes the potential problem.  It's necessary to
re-./configure and recompile openssh after patching.

-- 
jim knoble
jmknoble at pobox.com
-------------- next part --------------
--- ./config.h.in.orig-pathdot	Sat Dec 25 22:25:22 1999
+++ ./config.h.in	Sun Dec 26 02:06:52 1999
@@ -371,7 +371,7 @@
 #endif
 
 #ifndef _PATH_STDPATH
-# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin:"
+# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
 #endif
 
 #ifndef _PATH_DEVNULL