Bug 1127138

Summary: YaST runs programs with wrong absolute path
Product: [openSUSE] openSUSE Tumbleweed Reporter: Martin Vidner <mvidner>
Component: YaST2Assignee: E-mail List <yast2-maintainers>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P5 - None CC: fcrozat
Version: Current   
Target Milestone: ---   
Hardware: All   
OS: Other   
URL: https://trello.com/c/plarcsbX
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: check-program-paths

Description Martin Vidner 2019-02-27 10:04:57 UTC
In a recent security hardening (bsc#1118291) we changed an invocation of
  system "mkdir #{dir}"
to
  system "/usr/sbin/mkdir #{dir.shellescape}"
which is wrong because the correct path is /usr/bin/mkdir.

Finding this particular problem has prompted us to look for similar bugs, be they introduced by wrongly absolutizing program paths or by programs changing their location.

I have found:

yast/yast-nfs-client/src/modules/Nfs.rb:563 "/usr/sbin/rpcinfo"
yast/yast-yast2/library/network/src/modules/NetworkPopup.rb:198
is /sbin/rpcinfo

yast/yast-users/src/modules/UsersRoutines.pm:49 "/usr/sbin/cryptconfig"
removed in 15.0, https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.0/

yast/yast-bootloader/src/lib/bootloader/boot_record_backup.rb:39 "/usr/sbin/mkdir"
is /usr/bin/mkdir

yast/yast-packager/src/include/checkmedia/ui.rb:542 "/bin/eject"
is /usr/bin/eject

yast/yast-yast2/library/general/src/scrconf/run_ifconfig.scr:49 "/sbin/ifconfig"
is /usr/bin/ifconfig in net-tools-deprecated
used by yast/yast-instserver/src/modules/Instserver.rb:673
Comment 1 Martin Vidner 2019-02-27 12:24:49 UTC
Fixes for the simple cases, under review:

- https://github.com/yast/yast-bootloader/pull/555
- https://github.com/yast/yast-nfs-client/pull/80
- https://github.com/yast/yast-yast2/pull/898
- https://github.com/yast/yast-packager/pull/404

The cryptconfig case in yast2-users seems to be embedded in a bigger chunk of dead code, I'm checking it now
Comment 2 Martin Vidner 2019-02-27 14:41:22 UTC
The above PRs are merged.

The last one: https://github.com/yast/yast-users/pull/198
Comment 3 Martin Vidner 2019-02-28 09:04:19 UTC
Created attachment 798386 [details]
check-program-paths

This is the script that I used to find the bugs
Comment 4 Martin Vidner 2019-02-28 09:05:56 UTC
All PRs merged.
Comment 5 Frederic Crozat 2019-03-01 16:47:55 UTC
(In reply to Martin Vidner from comment #0)

> yast/yast-yast2/library/general/src/scrconf/run_ifconfig.scr:49
> "/sbin/ifconfig"
> is /usr/bin/ifconfig in net-tools-deprecated
> used by yast/yast-instserver/src/modules/Instserver.rb:673

this module should be adapted to use ip and no longer ifconfig.