[Bug 131] Problems with sshd's compiled in default PATH.

[bugzilla-daemon at mindrot.org]

http://bugzilla.mindrot.org/show_bug.cgi?id=131





------- Additional Comments From smithj9870 at yahoo.com  2002-03-02 04:15 -------
Obviously you didn't read the beginning of this thread, the original submission
was about the problem of making a relocatable package, possibly installing ssh
in an unusual path, for example lets say /home/username/bin.  That path will get
added to _PATH_STDPATH and compiled into the sshd binary.  Now install it
somewhere else and that useless and potentially dangerous path will still be in
the sshd binary, and on the new system, who knows what will be in there.  Do you
honestly believe that isn't a security problem?  What I am complaining about is
that I am NOT adding that path by hand, instead ssh's configure script decides
all by itself that it MUST include that path to find scp, which is a completely
WRONG assumption made by the configure script if the ssh package is relocated! 
Am I being clear enough now?

And don't make assumptions when you start your rant.  By subsystem I am being
more general and referring to the ssh subsystem of a running computer system,
ie. the ssh programs and their config files.  The ssh configure script should
NOT make assumptions about where it thinks its scp program will always be and
compile that into the ssh daemon.  And if you don't think having an incorrect
and unnecessary path component compiled into a root level daemon is a potential
security problem then I think you have more to learn about system administration
and security.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.