Hi Matt, Received the attached patch from Raphael Hertzog <hert...@debian.org> at https://bugs.debian.org/903403 . You wrote in the bug report that you'd apply the patch upstream but maybe that fell off-screen? Forwarding to the list for more visibility anyway. :-)
Cheers, -- Guilhem.
--- a/default_options.h +++ b/default_options.h @@ -291,5 +291,6 @@ be overridden at runtime with -I. 0 disa /* The default path. This will often get replaced by the shell */ #define DEFAULT_PATH "/usr/bin:/bin" +#define DEFAULT_ROOT_PATH "/usr/sbin:/usr/bin:/sbin:/bin" #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */ --- a/svr-chansession.c +++ b/svr-chansession.c @@ -961,7 +961,11 @@ static void execchild(const void *user_d addnewvar("LOGNAME", ses.authstate.pw_name); addnewvar("HOME", ses.authstate.pw_dir); addnewvar("SHELL", get_user_shell()); - addnewvar("PATH", DEFAULT_PATH); + if (getuid() == 0) { + addnewvar("PATH", DEFAULT_ROOT_PATH); + } else { + addnewvar("PATH", DEFAULT_PATH); + } if (chansess->term != NULL) { addnewvar("TERM", chansess->term); }
signature.asc
Description: PGP signature