[Adduser-devel] Bug#357978: adduser calls /usr/bin/chfn instead of invoking chfn from PATH

Ian Jackson sysadmin at chiark.greenend.org.uk
Wed May 3 16:08:31 UTC 2006

Marc Haber writes ("Bug#357978: adduser calls /usr/bin/chfn instead of invoking chfn from PATH"):
> Hm. We are using hard-coded paths since we avoid using a shell for
> subprocess invocation.

I'm afraid I don't understand this comment at all.  Honouring the PATH
just involves calling exec*p rather than exec*, and doesn't need to
use a subprocess.  The libc will search the PATH for you.

>  We're going to change to a PATH-honoring setup
> in one of the next versions, but we're going to set our own PATH on
> startup to avoid privilege escalation issues.

That's completely wrong.  adduser is running as root to start with and
isn't setuid.  It should honour its PATH completely.


More information about the Adduser-devel mailing list