ALERT: potential for `.' in _PATH_STDPATH [OpenSSH-1.2.1pre21]
Jim Knoble
jmknoble at pobox.com
Sun Dec 26 18:59:52 EST 1999
After the recent discussion here about some OpenSSH sshd's having
difficulty locating scp in /usr/local/bin/, i took a look at
openssh-1.2.1pre17's config.h.in and found what i believe is a
potential minor security problem: the _PATH_STDPATH defined there ends
in `:', effectively putting a `.' (current directory) at the end of the
path and thus opening ssh sessions that use that default PATH to the
possibility of trojan attacks.
This is *only* a problem if _PATH_STDPATH is not defined in your system
includes (usually in /usr/include/). If your system includes do define
_PATH_STDPATH (for example, in <paths.h>), this problem does not affect
you. (That is no guarantee, however, that your _PATH_STDPATH is
completely secure---check it to make sure it is.)
Since the `current directory' element is preceded by
`/usr/bin:/bin:/usr/sbin:/sbin', the possibility for such an attack
succeeding is less than if the current directory were at the beginning
of the PATH, but it's still Not A Good Thing(tm).
The attached patch fixes the potential problem. It's necessary to
re-./configure and recompile openssh after patching.
--
jim knoble
jmknoble at pobox.com
-------------- next part --------------
--- ./config.h.in.orig-pathdot Sat Dec 25 22:25:22 1999
+++ ./config.h.in Sun Dec 26 02:06:52 1999
@@ -371,7 +371,7 @@
#endif
#ifndef _PATH_STDPATH
-# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin:"
+# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
#endif
#ifndef _PATH_DEVNULL
More information about the openssh-unix-dev
mailing list