[Bug 1803958] Comment bridged from LTC Bugzilla

bugproxy bugproxy at us.ibm.com
Tue Nov 20 07:59:29 UTC 2018 

------- Comment From ifranzki at de.ibm.com 2018-11-20 02:56 EDT-------
We set the PATH before calling system() to execute the generated program for security reasons. That way a user can not manipulate the PATH environment variable and that way cause a different executable to be used. By setting the path we restrict the search path to the well known executable locations. Remember zkey may run as root or somewhat privileged so that it can execute "cryptsetup luksFormat" or similar.

There is also a similar note in the man page for system():
"Do not use system() from a privileged program (a set-user-ID or set-group-ID program, or a program with capabilities) because strange values for some environment variables might be used to subvert system integrity.  For example, PATH could be manipulated so that an arbitrary program is executed with privilege.  Use the exec(3) family of functions instead, but not execlp(3) or execvp(3) (which also use the PATH environment variable to search for an executable).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1803958

Title:
  [UBUNTU] zkey: Fails to run commands generated by 'zkey cryptsetup'

Status in Ubuntu on IBM z Systems:
  Triaged
Status in s390-tools package in Ubuntu:
  New

Bug description:
  Description:  zkey: Fails to run commands generated by 'zkey
  cryptsetup'

  Symptom:      Fails to run commands generated by 'zkey cryptsetup'.

  Problem:  When using 'zkey cryptsetup' with --run option the execution
  of the generated commands may fail, when  the executable to be run is
  located in '/sbin'.

  Solution:     Include /sbin into PATH when executing commands.

  Reproduction: Use 'zkey cryptsetup' with option --run on a distribution
                where 'cryptsetup' is located in '/sbin'.

  Upstream commit:
  https://github.com/ibm-s390-tools/s390-tools/commit/9100327092c470c2e5b5819087c8094822a1c751

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1803958/+subscriptions

More information about the foundations-bugs mailing list