Comment 3 for bug 1803958
Revision history for this message
| bugproxy (bugproxy) wrote Comment bridged from LTC Bugzilla | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
------- Comment From <email address hidden> 2018-11-20 04:36 EDT-------
Additional info from Hendrik:
Ingo is correct here and we had a discussion about setting PATH explicitly for security reasons. For running zkey as regular user or as root is not the problem. But it becomes a security subject for running zkey with sudo. Assume you have granted a user the permission to run sudo zkey and the user constructs a PATH for finding the cryptsetup binary in a directory controlled by the user. If sudo zkey would then call this cryptsetup binary, the user can gain more privileges.
The alternative is to hard-code the path to the cryptsetup binary but that's typically a problem because it might be installed in different location depending on the Linux distributions.
So if you want to remove the PATH for Ubuntu, please either ensure that all calls to external programs use hard-coded paths or ensure that the default configuration for sudo sets up a pre-defined path (overriding any existing settings). Of course, this PATH configuration needs to be done for all kinds of such invocations, for example, su, ?