[Bug 131] Problems with sshd's compiled in default PATH.

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Mar 2 03:32:59 EST 2002 

http://bugzilla.mindrot.org/show_bug.cgi?id=131





------- Additional Comments From mouring at eviladmin.org  2002-03-02 03:32 -------
> About the shell initialization files:  I MUST strongly disagree with this
> statement from both a security and system administration point of view.  Your
> solution does not change the fact that the potentially dangerous/insecure path
> is still compiled into the sshd binary [..]

from defines.h
# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"

My God.. if that is 'potentailly dangerous/insecure'  then every UNIX
in the world's default path is insecure.   I am speaking as an admin.

At worse it addes on $PREFIX/bin.  To the *END* of the search path.  

And if you change it via --with-default-path  (like what Redhat does to include
/usr/local/bin FIRST which is lame) then you should should know what your 
doing.  

> [..], plus it is the responsibility of the ssh subsystem to configure 
> itself properly.  This path is required by the ssh daemon so it can find 
> its scp program, it should NOT be up to the sys admin to modify every

Subsystem != scp.  Subsystem is a v2 feature that is *NOT* used by scp.  
If you want to ensure that the subsystem ALWAYS finds the RIGHT file.. 
FULLY path it out in the sshd_config.  (Which is is by default: 'Subsystem 
sftp /usr/libexec/sftp-server').

Subsystem has *NOTHING* to do with scp.  Do you see a 'Subsystem scp ..'?
I sure don't.  Pretty much what scp is doing is a 'ssh user at site scp [..]'.
No subsystems here..

I'm sorry, but if you want to complain that there is is not a 'DefaultPATH'
configuration directive do so (Better yet write up a simple patch and
provide it).  Just leave this dribble about 'security' out of it since it is a 
load of crap.

But in any case I can tell you have not a CLUE as to what the difference 
between 'remote command exec' and 'subsystems'.  You really should do your 
homework better before ranting.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-unix-dev mailing list