Launchpad has imported 8 comments from the remote bug at https://bugzilla.xfce.org/show_bug.cgi?id=12282.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2015-10-30T12:35:00+00:00 David Thompson wrote: Created attachment 6514 patch file xflock4 clobbers the PATH environment variable with a hardcoded value. /bin and /usr/bin may be common locations to find binaries on FHS distros, but it is not always so. I am a maintainer for the GNU GuixSD project, which does not conform to the FHS, and we do not have /usr/bin or anything in /bin except /bin/sh. So, I think the sanest thing to do in this script is not touch PATH at all. It should be properly configured before the xflock4 process is launched. I noticed this bug on 4.12.0. The attached patch is against the current master branch. Thanks! Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/0 ------------------------------------------------------------------------ On 2016-01-29T09:16:06+00:00 Landry-o wrote: I think the original idea of setting PATH to a limited 'trusted' list of subdirs was to avoid potential attackers/malwares to drop malicious replacements for xlock/etc in user-writable directories potentially in the user's PATH... Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/1 ------------------------------------------------------------------------ On 2016-01-29T13:59:32+00:00 Jarno Suni wrote: So isn't the solution then that system administer changes PATH so that it does not contain user-writeable directories? Well, in terminal a regular user can change PATH though. I think it would be safer to check in xflock4 that the command is not user-writeable and is owned by root. (I have a shell function for that.) If the command told by an xfconf variable is used for locking, it can be changed by regular user to run some command that might not lock anyway, but supposedly not as harmful command. Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/2 ------------------------------------------------------------------------ On 2016-01-29T17:30:19+00:00 Jarno Suni wrote: (In reply to Jarno Suni from comment #2) > I think it would be safer to check in xflock4 that the command is not > user-writeable and is owned by root. (I have a shell function for that.) Actually this is tricky. The command could be wrapped by e.g. "time ", "dash -c " etc. so how do you find the final wrapped command? Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/3 ------------------------------------------------------------------------ On 2016-01-29T20:03:30+00:00 Jarno Suni wrote: How could you know that the command is not in a removeable drive then? Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/4 ------------------------------------------------------------------------ On 2016-01-29T21:46:21+00:00 Jarno Suni wrote: I think xflock4 could use "command -vp command_name" to get the secure path of a locker command command_name. Would that work in GNU GuixSD, too? Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/5 ------------------------------------------------------------------------ On 2016-01-30T15:45:01+00:00 Jarno Suni wrote: Oh, unfortunately `command -vp` does not work by dash even in Linux, but works by bash. (https://bugs.launchpad.net/ubuntu/+source/dash/+bug/1539932) Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/6 ------------------------------------------------------------------------ On 2016-01-31T14:09:35+00:00 Jarno Suni wrote: `command -pv` or even `command -v` is not required in POSIX 2004 http://stackoverflow.com/a/34572831/4414935 but I think we can use `command -p getconf PATH` to get a reasonable PATH for the script. Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/7 ** Changed in: xfce4-session Status: Unknown => Confirmed ** Changed in: xfce4-session Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1766765 Title: xflock4 fails if light-locker installed in /usr/local/bin To manage notifications about this bug go to: https://bugs.launchpad.net/xfce4-session/+bug/1766765/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
