Bug 1127138 - YaST runs programs with wrong absolute path
YaST runs programs with wrong absolute path
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: YaST2
Current
All Other
: P5 - None : Normal (vote)
: ---
Assigned To: E-mail List
Jiri Srain
https://trello.com/c/plarcsbX
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-27 10:04 UTC by Martin Vidner
Modified: 2022-09-12 10:29 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
check-program-paths (895 bytes, text/plain)
2019-02-28 09:04 UTC, Martin Vidner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Vidner 2019-02-27 10:04:57 UTC
In a recent security hardening (bsc#1118291) we changed an invocation of
  system "mkdir #{dir}"
to
  system "/usr/sbin/mkdir #{dir.shellescape}"
which is wrong because the correct path is /usr/bin/mkdir.

Finding this particular problem has prompted us to look for similar bugs, be they introduced by wrongly absolutizing program paths or by programs changing their location.

I have found:

yast/yast-nfs-client/src/modules/Nfs.rb:563 "/usr/sbin/rpcinfo"
yast/yast-yast2/library/network/src/modules/NetworkPopup.rb:198
is /sbin/rpcinfo

yast/yast-users/src/modules/UsersRoutines.pm:49 "/usr/sbin/cryptconfig"
removed in 15.0, https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.0/

yast/yast-bootloader/src/lib/bootloader/boot_record_backup.rb:39 "/usr/sbin/mkdir"
is /usr/bin/mkdir

yast/yast-packager/src/include/checkmedia/ui.rb:542 "/bin/eject"
is /usr/bin/eject

yast/yast-yast2/library/general/src/scrconf/run_ifconfig.scr:49 "/sbin/ifconfig"
is /usr/bin/ifconfig in net-tools-deprecated
used by yast/yast-instserver/src/modules/Instserver.rb:673
Comment 1 Martin Vidner 2019-02-27 12:24:49 UTC
Fixes for the simple cases, under review:

- https://github.com/yast/yast-bootloader/pull/555
- https://github.com/yast/yast-nfs-client/pull/80
- https://github.com/yast/yast-yast2/pull/898
- https://github.com/yast/yast-packager/pull/404

The cryptconfig case in yast2-users seems to be embedded in a bigger chunk of dead code, I'm checking it now
Comment 2 Martin Vidner 2019-02-27 14:41:22 UTC
The above PRs are merged.

The last one: https://github.com/yast/yast-users/pull/198
Comment 3 Martin Vidner 2019-02-28 09:04:19 UTC
Created attachment 798386 [details]
check-program-paths

This is the script that I used to find the bugs
Comment 4 Martin Vidner 2019-02-28 09:05:56 UTC
All PRs merged.
Comment 5 Frederic Crozat 2019-03-01 16:47:55 UTC
(In reply to Martin Vidner from comment #0)

> yast/yast-yast2/library/general/src/scrconf/run_ifconfig.scr:49
> "/sbin/ifconfig"
> is /usr/bin/ifconfig in net-tools-deprecated
> used by yast/yast-instserver/src/modules/Instserver.rb:673

this module should be adapted to use ip and no longer ifconfig.