Launchpad has imported 8 comments from the remote bug at
https://bugzilla.xfce.org/show_bug.cgi?id=12282.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2015-10-30T12:35:00+00:00 David Thompson wrote:

Created attachment 6514
patch file

xflock4 clobbers the PATH environment variable with a hardcoded value.
/bin and /usr/bin may be common locations to find binaries on FHS
distros, but it is not always so.  I am a maintainer for the GNU GuixSD
project, which does not conform to the FHS, and we do not have /usr/bin
or anything in /bin except /bin/sh.  So, I think the sanest thing to do
in this script is not touch PATH at all.  It should be properly
configured before the xflock4 process is launched.

I noticed this bug on 4.12.0.  The attached patch is against the current
master branch.

Thanks!

Reply at:
https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/0

------------------------------------------------------------------------
On 2016-01-29T09:16:06+00:00 Landry-o wrote:

I think the original idea of setting PATH to a limited 'trusted' list of
subdirs was to avoid potential attackers/malwares to drop malicious
replacements for xlock/etc in user-writable directories potentially in
the user's PATH...

Reply at:
https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/1

------------------------------------------------------------------------
On 2016-01-29T13:59:32+00:00 Jarno Suni wrote:

So isn't the solution then that system administer changes PATH so that
it does not contain user-writeable directories? Well, in terminal a
regular user can change PATH though.

I think it would be safer to check in xflock4 that the command is not
user-writeable and is owned by root. (I have a shell function for that.)

If the command told by an xfconf variable is used for locking, it can be
changed by regular user to run some command that might not lock anyway,
but supposedly not as harmful command.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/2

------------------------------------------------------------------------
On 2016-01-29T17:30:19+00:00 Jarno Suni wrote:

(In reply to Jarno Suni from comment #2)

> I think it would be safer to check in xflock4 that the command is not
> user-writeable and is owned by root. (I have a shell function for that.)

Actually this is tricky. The command could be wrapped by e.g. "time ",
"dash -c " etc. so how do you find the final wrapped command?

Reply at:
https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/3

------------------------------------------------------------------------
On 2016-01-29T20:03:30+00:00 Jarno Suni wrote:

How could you know that the command is not in a removeable drive then?

Reply at:
https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/4

------------------------------------------------------------------------
On 2016-01-29T21:46:21+00:00 Jarno Suni wrote:

I think xflock4 could use "command -vp command_name" to get the secure
path of a locker command command_name. Would that work in GNU GuixSD,
too?

Reply at:
https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/5

------------------------------------------------------------------------
On 2016-01-30T15:45:01+00:00 Jarno Suni wrote:

Oh, unfortunately `command -vp` does not work by dash even in Linux, but
works by bash.
(https://bugs.launchpad.net/ubuntu/+source/dash/+bug/1539932)

Reply at:
https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/6

------------------------------------------------------------------------
On 2016-01-31T14:09:35+00:00 Jarno Suni wrote:

`command -pv` or even `command -v` is not required in POSIX 2004
http://stackoverflow.com/a/34572831/4414935
but I think we can use `command -p getconf PATH` to get a reasonable PATH for 
the script.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/7


** Changed in: xfce4-session
       Status: Unknown => Confirmed

** Changed in: xfce4-session
   Importance: Unknown => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1766765

Title:
  xflock4 fails if light-locker installed in /usr/local/bin

To manage notifications about this bug go to:
https://bugs.launchpad.net/xfce4-session/+bug/1766765/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to