Package: x11-common
Version: 6.8.2.dfsg.1-7
Severity: grave
Tags: patch
Justification: renders package unusable
PROBLEM:
random login problems without any error messages: some users can't log,
whichever window manager is chosen. The behaviour is essentially the
same as in the case of bug #327191 (but for different reasons)
DIAGNOSIS:
the problem was caused by the line
alias ls="ls --color"
in the $HOME/.profile file of some of the users
DESCRIPTION:
The script /etc/X11/Xsession uses "ls" instead of "/bin/ls" in the
"run_parts" subroutine on the following line:
for F in $(ls $1); do
KDM calls /etc/X11/Xsession _after_ reading /etc/profile, $HOME/.profile
or whatever other relevant login scripts are available.
We found out that the following combination is lethal (i.e. you cannot
log in through the graphical manager):
1) ksh as the login shell (couple of thousands users in our environment)
2) .profile redefines "ls" using an alias:
alias ls="ls --color"
(common for many users, after all this is what .profile is for!)
Presently, we do not know whether why this behaviour is seen only in ksh
and not in bash. Note that, unlike the related bug #327191, this behaviour
is not due to an error in the users .profile file, as the line quoted above
is correct and works on other (non-Debian) systems.
SOLUTION:
substitute "ls" with "/bin/ls" in the aforementioned line
FURTHER COMMENTS:
Although this is really a quickfix, because we do not fully understand what
happens here, we think that using "ls" without a path specification which
obviously may or not may be manipulated is a generally bad idea and should
not be used.
Tracking of this bug cost us a lot of time: we experienced random behaviour
(some users can log in, some can't, no traces of error in the log files,
everything seems to be OK except that the X session dies). Its gravity was
serious in our environment, as all university users have ksh as the default
shell, and many users are used to the "ls --color" alias (which is default
e.g. in SuSE).
Furthermore, using ls instead of /bin/ls is a potential security hole even
though Xsession runs as user.
We provide a fix.
Please, do something about it.
January Weiner
David Vernazobres
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-stud-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages x11-common depends on:
ii debconf [debconf-2.0] 1.4.58 Debian configuration management sy
ii debianutils 2.15 Miscellaneous utilities specific t
ii lsb-base 3.0-9 Linux Standard Base 3.0 init scrip
x11-common recommends no packages.
-- debconf information excluded
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
