I was reviewing the openssh.spec file that is within the CURRENT revision of openssh and I wanted to open up a discussion about the default pathing. When the latest openssh security patch was released, our instance of openssh broke on solaris when using rsync (or any other command really). I'm not too concerned because we're still on openpkg 2.3 and I plan on upgrading when 2.6 comes out. In the current spec file I see the following in regards to default pathing:
%if "%{with_trysetpath}" == "yes" --enable-etc-default-login \ --with-default-path=%{l_prefix}/bin:/bin:/usr/bin:/usr/local/bin \ --with-superuser-path=%{l_prefix}/bin:/usr/bin:/sbin:/usr/sbin \ %else --disable-etc-default-login \ --with-default-path=/bin:/usr/bin \ --with-superuser-path=/bin:/usr/bin:/sbin:/usr/sbin \ %endif This means that on solaris systems pathing will generally be broken by default unless with_trysetpath is set to yes due to the --with-default-path and other related options. As far as I'm aware, these options are more for security reasons for openssh than they are to fix default pathing on solaris (or whatever other OS's have the same problem). My thoughts are that the option in the spec file should be called "with_securepath" (or just "with_secpath") and it should only be a single if statement that disables /etc/default/login and sets the specific paths which should only include %{l_prefix}. It definitely should not include any sbin paths because part of the reason is to lock the pathing down if you want a more secure openssh installation. In any case, I am only one opinion and as I said, I wanted to open this up for discussion. So, what do the rest of you think? -- David M. Fetter - Portland State University - UNIX Systems Administrator "I do not agree with what you have to say, but I'll defend to the death your right to say it." ~François-Marie Arouet
signature.asc
Description: This is a digitally signed message part