[SLE] Re: postfix bug: SuSEconfig.postfix runs arbitrary command, and/or fails but returns success code
From: Phil Mocek (pmocek-list-suse_at_mocek.org)
Date: 04/15/04
- Previous message: Carl William Spitzer IV: "Re: [SLE] cdrecord error messages"
- In reply to: Anders Johansson: "Re: [SLE] postfix bug: SuSEconfig.postfix runs arbitrary command, and/or fails but returns success code"
- Next in thread: Anders Johansson: "Re: [SLE] Re: postfix bug: SuSEconfig.postfix runs arbitrary command, and/or fails but returns success code"
- Reply: Anders Johansson: "Re: [SLE] Re: postfix bug: SuSEconfig.postfix runs arbitrary command, and/or fails but returns success code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 15 Apr 2004 11:28:54 -0700 To: suse-linux-e@suse.com
On Wed, Apr 14, 2004 at 01:17:14AM +0200, Anders Johansson wrote:
> On Wednesday 14 April 2004 00.07, Phil Mocek wrote:
> > I've found a bug that causes SuSEconfig (and, presumably,
> > Yast2, since it uses SuSEconfig) to fail to update Postfix
> > configuration and then incorrectly report that it has done so
> > successfully.
> >
> > More alarmingly, if any command `postconf' exists in a user's
> > PATH when running the SuSEconfig postfix module, *that
> > command*, (whichever one is found first; not necessarily the
> > intended one) will be run by SuSEconfig.
>
> I think it goes without saying that you should never have a user
> writable directory in your path when you run things as root.
Really? So when you give sudo privileges to a user, including
yourself, just how do you guarantee that the user will change his
path before every use of sudo? You'd prefer to rely on that
happening than to simply specify a full path to the correct
command in the script?
A system utility relying upon the command search path of its
parent process is never a good idea.
> I think the real bug is that SuSEconfig doesn't reset the path
> to something sane.
And the fact that it doesn't verify that a command it will execute
repeatedly even exists before blindly attempting to execute it and
write its output into Postfix's system-wide configuration file?
And the fact that it returns 0, which indicates success, after
multiple failures?
Anyway, I got a response to my bug report (Ticket
20040414990000016) from SuSE:
> This is a known bug that has been fixed in the upcoming SUSE
> Linux 9.1. For 9.0 this bug alone does not warrant an official
> update.
Apparently, they don't think it warrants warning anyone about it,
either. Or even publishing the fact that it is known.
-- Phil Mocek -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
- Previous message: Carl William Spitzer IV: "Re: [SLE] cdrecord error messages"
- In reply to: Anders Johansson: "Re: [SLE] postfix bug: SuSEconfig.postfix runs arbitrary command, and/or fails but returns success code"
- Next in thread: Anders Johansson: "Re: [SLE] Re: postfix bug: SuSEconfig.postfix runs arbitrary command, and/or fails but returns success code"
- Reply: Anders Johansson: "Re: [SLE] Re: postfix bug: SuSEconfig.postfix runs arbitrary command, and/or fails but returns success code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
