ALERT: potential for `.' in _PATH_STDPATH [OpenSSH-1.2.1pre21]

Jim Knoble jmknoble at
Sun Dec 26 18:59:52 EST 1999

After the recent discussion here about some OpenSSH sshd's having
difficulty locating scp in /usr/local/bin/, i took a look at
openssh-1.2.1pre17's and found what i believe is a
potential minor security problem: the _PATH_STDPATH defined there ends
in `:', effectively putting a `.' (current directory) at the end of the
path and thus opening ssh sessions that use that default PATH to the
possibility of trojan attacks.

This is *only* a problem if _PATH_STDPATH is not defined in your system
includes (usually in /usr/include/).  If your system includes do define
_PATH_STDPATH (for example, in <paths.h>), this problem does not affect
you.  (That is no guarantee, however, that your _PATH_STDPATH is
completely secure---check it to make sure it is.)

Since the `current directory' element is preceded by
`/usr/bin:/bin:/usr/sbin:/sbin', the possibility for such an attack
succeeding is less than if the current directory were at the beginning
of the PATH, but it's still Not A Good Thing(tm).

The attached patch fixes the potential problem.  It's necessary to
re-./configure and recompile openssh after patching.

jim knoble
jmknoble at
-------------- next part --------------
--- ./	Sat Dec 25 22:25:22 1999
+++ ./	Sun Dec 26 02:06:52 1999
@@ -371,7 +371,7 @@
 #ifndef _PATH_STDPATH
-# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin:"
+# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
 #ifndef _PATH_DEVNULL

More information about the openssh-unix-dev mailing list