Lloyd <ng2...@proton.me> writes: > What is the meaning behind the following output from security(8): > > Checking root sh paths, umask values: > /etc/profile /root/.profile > Failed to find ENV in /root/.profile. > > I get these daily complaints on every box where root's .profile calls out to > a shell script for some housekeeping tasks on a login shell; e.g. > /usr/local/bin/bash or /usr/bin/env bash. If I call out to an executable such > as /bin/ls the complaint is suppressed. > > Not sure why ENV would be needed because I only want these tasks to execute > on a login shell. I am using ksh as the default shell. What is the security > concern by not having a ENV script defined in .profile? The default .profile > does not define ENV. Or have I misused/abused .profile for eternity and not > known it? >
Your are misinterpreting the error message. The security(8) script could be found at https://github.com/openbsd/src/blob/master/libexec/security/security#L248 With some simplification, it is running: /bin/sh -c '. /root/.profile; echo ENV=$ENV; echo PATH=$PATH' and check the output. In your case, it is complaining that "echo ENV=" doesn't produce the expected line with 'ENV' string. (if you run the command yourself, your actual ENVIRONMENT might contains ENV or PATH variables, so prefix the command with "env -i" to clear the environment first). $ env -i ksh -c '. /etc/profile; echo ENV=$ENV; echo PATH=$PATH' ENV= PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin # env -i ksh -c '. /root/.profile; echo ENV=$ENV; echo PATH=$PATH' ENV= PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin Regards. -- Sebastien Marie
