/sbin:/usr/sbin in mortal's PATH

Chris Tyler chris at tylers.info
Tue May 9 03:39:08 UTC 2006 

Here's a related issue with the PATHs (which is why I change
the /etc/profile on my systems): a simple 'su' won't munge the superuser
directories into the PATH, because /etc/profile isn't invoked. If the
superuser directories are in the default PATH, a plain 'su' becomes a
lot more useful (and yes, 'su -' works, but then you lose the current
directory). An alternative would be to put path munging code
in /etc/bashrc (or, somehow, the PAM config for 'su').


Horst von Brand wrote:
> But ifconfig(8) is not for luser consumption, and so are lots of
> others.

I have troubles comprehending that statement. What tool would you
recommend if a unprivileged user wanted to know the IP address of the
system? 'cat /sys/class/net/eth0/address' ?

Or is it useful for an unprivileged user to know the WCHAN of running
processes (/bin/ps), the current keymappings (/bin/dumpkeys), and the
date and time that the kernel was compiled (/bin/uname -a), but not the
IP address?

Realistically (these days), there's a good chance that an inexperienced
user won't be on the command line at all (but that's a far cry from
saying that 'bash is not for luser consumption').


Leszek Matok wrote:
> The wrong thing IMHO would be having /sbin before /bin in the search
> path. As someone stated earlier, it can break consolehelper symlinks.
> Other than that, either let's make a symlinking-fest or add them to
> the path as many suggest, only after /bin and co.

Agreed - the code in /etc/profile should probably read:

	# Path manipulation
	if [ "$EUID" = 0 ]; then
	        pathmunge /sbin
	        pathmunge /usr/sbin
	        pathmunge /usr/local/sbin
	else
	        pathmunge /sbin after
	        pathmunge /usr/sbin after
	        pathmunge /usr/local/sbin after	
	fi

This is better than a symlink-fest because the sites that really don't
want the users to know their IP address can change it easily :-) The
downside is that the path order is potentially less secure after an
'su'.

Bugzilla 191135.

--
Chris Tyler

More information about the fedora-devel-list mailing list