[Bug 1803958] Comment bridged from LTC Bugzilla

bugproxy bugproxy at us.ibm.com
Tue Nov 20 09:39:32 UTC 2018 

------- Comment From ifranzki at de.ibm.com 2018-11-20 04:36 EDT-------
Additional info from Hendrik:

Ingo is correct here and we had a discussion about setting PATH
explicitly for security reasons. For running zkey as regular user or as
root is not the problem. But it becomes a security subject for running
zkey with sudo. Assume you have granted a user the permission to run
sudo zkey and the user constructs a PATH for finding the cryptsetup
binary in a directory controlled by the user.  If sudo zkey would then
call this cryptsetup binary, the user can gain more privileges.

The alternative is to hard-code the path to the cryptsetup binary but
that's typically a problem because it might be installed in different
location depending on the Linux distributions.

So if you want to remove the PATH for Ubuntu, please either ensure that
all calls to external programs use hard-coded paths or ensure that the
default configuration for sudo sets up a pre-defined path (overriding
any existing settings).  Of course, this PATH configuration needs to be
done for all kinds of such invocations, for example, su, ?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1803958

Title:
  [UBUNTU] zkey: Fails to run commands generated by 'zkey cryptsetup'

Status in Ubuntu on IBM z Systems:
  Triaged
Status in s390-tools package in Ubuntu:
  New

Bug description:
  Description:  zkey: Fails to run commands generated by 'zkey
  cryptsetup'

  Symptom:      Fails to run commands generated by 'zkey cryptsetup'.

  Problem:  When using 'zkey cryptsetup' with --run option the execution
  of the generated commands may fail, when  the executable to be run is
  located in '/sbin'.

  Solution:     Include /sbin into PATH when executing commands.

  Reproduction: Use 'zkey cryptsetup' with option --run on a distribution
                where 'cryptsetup' is located in '/sbin'.

  Upstream commit:
  https://github.com/ibm-s390-tools/s390-tools/commit/9100327092c470c2e5b5819087c8094822a1c751

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1803958/+subscriptions

More information about the foundations-bugs mailing list