Details Ticket 4281


Comment | Reply | Take | Open


Serial Number 4281
Subject Init.sh: security issue with the PATH
Area RCbug
Queue grass
Requestors hamish_nospam@yahoo.com
Owner none
Status resolved
Last User Contact Never contacted
Current Priority 90
Final Priority 70
Due No date assigned
Last Action Thu Apr 20 11:33:06 2006 (2 yr ago)
Created Wed Apr 12 09:35:02 2006 (2 yr ago)

Transaction History Ticket 4281


Wed, Apr 12 2006 09:35:02    Request created by hbowman  
Subject: Init.sh: security issue with the PATH

Hi,

If you haven't set $GRASS_ADDON_PATH, then the path statement in Init.sh 
includes "./" in the path.

e.g.
unset GRASS_ADDON_PATH

#Init.sh
PATH=$GISBASE/bin:$GISBASE/scripts:$GRASS_ADDON_PATH:$PATH

translates to

PATH=$GISBASE/bin:$GISBASE/scripts::$PATH

now the "::" part acts like ":./:" which is a security risk -- if someone
dumps a nasty script called "ls" in your home dir, bad times may ensue.


better:

if [ -n "$GRASS_ADDON_PATH" ] ; then
   PATH="$GISBASE/bin:$GISBASE/scripts:$GRASS_ADDON_PATH:$PATH"
else
   PATH="$GISBASE/bin:$GISBASE/scripts:$PATH"
fi


??

or  if [ -d "$GRASS_ADDON_PATH" ] ; then
??


Hamish
Wed, Apr 19 2006 10:06:23    Area changed to RCbug by hbowman  
Thu, Apr 20 2006 11:33:06    Status changed to resolved by hbowman  
Thu, Apr 20 2006 11:33:06    Comments added by hbowman  
fixed in CVS for 6.1 (HEAD), 6.0.x, and 5 branches


Hamish
Comment | Reply | Take | Open

You are currently authenticated as guest.
[Show Configuration] [Login as another user]

Users Guide - Mail Commands - Homepage of RequestTracker 1.0.7 - list any request