Subject: security/3995: /etc/security check for . in root path yields false positive
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jbernard@tater.mines.edu>
List: netbsd-bugs
Date: 08/15/1997 21:40:48 
>Number:         3995
>Category:       security
>Synopsis:       /etc/security check for . in root path yields false positive
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 15 20:50:01 1997
>Last-Modified:
>Originator:     Jim Bernard
>Organization:
	speaking for myself
>Release:        August 15, 1997
>Environment:
System: NetBSD zoo 1.2G NetBSD 1.2G (ZOO) #0: Sat Jul 19 12:48:58 MDT 1997 jim@zoo:/jaz/home/local/compile/sys/arch/i386/compile/ZOO i386


>Description:
	/etc/security checks for . in root's path by processing startup files
	for /bin/sh after setting a null PATH.  However, /bin/sh implicitly
	assumes a path consisting of "." if PATH is null, so . is falsely
	found to be in the path, regardless of the contents of the startup
	files (some of which, by default, do nothing at all).
>How-To-Repeat:
	Read the daily security reports, when one or more of /etc/profile, or
	/root/.profile does not modify PATH.  Note erroneous complaints about
	the presence of . in PATH.
>Fix:
	By unsetting PATH _before_ executing the subshell, this fix allows
	the shell to choose its own default PATH (/bin /usr/bin) rather than
	being forced to deal with a null PATH and defaulting to ".".  This
	avoids the false positives, since it produces the same PATH as
	would be obtained with a fresh login.  The fix below includes a
	similar modification to the csh section, even though that shell
	doesn't suffer from the same problem (it doesn't default to using
	a path of "." when path is unset)--it somehow seems more satisfying
	to have both checks based on the path produced by a fresh login.

	BTW: These changes presumably mean that the comments about the path
	checks failing in "other environments" can be removed, though I
	haven't included that change in the patch.

--- security-dist	Tue Jun 24 05:08:51 1997
+++ security	Fri Aug 15 21:11:36 1997
@@ -162,15 +162,17 @@
 			egrep umask $i |
 			awk '$2 % 100 < 20 \
 				{ print "Root umask is group writeable" }
 			     $2 % 10 < 2 \
 				{ print "Root umask is other writeable" }' >> $OUTPUT
+			SAVE_PATH=$PATH
+			unset PATH
 			/bin/csh -f -s << end-of-csh > /dev/null 2>&1
-				unset path
 				source $i
 				/bin/ls -ldgT \$path > $TMP1
 end-of-csh
+			PATH=$SAVE_PATH
 			awk '{
 				if ($10 ~ /^\.$/) {
 					print "The root path includes .";
 					next;
 				}
@@ -204,16 +206,18 @@
 			egrep umask $i |
 			awk '$2 % 100 < 20 \
 				{ print "Root umask is group writeable" } \
 			     $2 % 10 < 2 \
 				{ print "Root umask is other writeable" }' >> $OUTPUT
+			SAVE_PATH=$PATH
+			unset PATH
 			/bin/sh << end-of-sh > /dev/null 2>&1
-				PATH=
 				. $i
 				list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\`
 				/bin/ls -ldgT \$list > $TMP1
 end-of-sh
+			PATH=$SAVE_PATH
 			awk '{
 				if ($10 ~ /^\.$/) {
 					print "The root path includes .";
 					next;
 				}
>Audit-Trail:
>Unformatted: