Bug#340443: x11-common: Error in /etc/X11/Xsession - ksh users can't log in from KDM

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#340443: x11-common: Error in /etc/X11/Xsession - ksh users can't log in from KDM
From: January Weiner <january.weiner@gmail.com>
Date: Wed, 23 Nov 2005 15:15:43 +0100
Message-id: <[🔎] 20051123141543.08473FF25@localhost.localdomain>
Reply-to: January Weiner <january.weiner@gmail.com>, 340443@bugs.debian.org

Package: x11-common
Version: 6.8.2.dfsg.1-7
Severity: grave
Tags: patch
Justification: renders package unusable


PROBLEM:
  random login problems without any error messages: some users can't log,
  whichever window manager is chosen.   The behaviour is essentially the
  same as in the case of bug #327191 (but for different reasons)

DIAGNOSIS:
  the problem was caused by the line
  alias ls="ls --color"
  in the $HOME/.profile file of some of the users

DESCRIPTION:
The script /etc/X11/Xsession uses "ls" instead of "/bin/ls" in the
"run_parts" subroutine on the following line:

  for F in $(ls $1); do

KDM calls /etc/X11/Xsession _after_ reading /etc/profile, $HOME/.profile
or whatever other relevant login scripts are available.  

We found out that the following combination is lethal (i.e. you cannot
log in through the graphical manager):

1) ksh as the login shell (couple of thousands users in our environment)
2) .profile redefines "ls" using an alias:
    alias ls="ls --color"
    (common for many users, after all this is what .profile is for!)

Presently, we do not know whether why this behaviour is seen only in ksh
and not in bash.  Note that, unlike the related bug #327191, this behaviour
is not due to an error in the users .profile file, as the line quoted above
is correct and works on other (non-Debian) systems.

SOLUTION:
substitute "ls" with "/bin/ls" in the aforementioned line 

FURTHER COMMENTS:
Although this is really a quickfix, because we do not fully understand what
happens here, we think that using "ls" without a path specification which
obviously may or not may be manipulated is a generally bad idea and should
not be used.

Tracking of this bug cost us a lot of time: we experienced random behaviour
(some users can log in, some can't, no traces of error in the log files,
everything seems to be OK except that the X session dies).  Its gravity was
serious in our environment, as all university users have ksh as the default
shell, and many users are used to the "ls --color" alias (which is default
e.g. in SuSE).  

Furthermore, using ls instead of /bin/ls is a potential security hole even
though Xsession runs as user.

We provide a fix. 

Please, do something about it.

January Weiner
David Vernazobres

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-stud-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages x11-common depends on:
ii  debconf [debconf-2.0]         1.4.58     Debian configuration management sy
ii  debianutils                   2.15       Miscellaneous utilities specific t
ii  lsb-base                      3.0-9      Linux Standard Base 3.0 init scrip

x11-common recommends no packages.

-- debconf information excluded

Reply to:

Follow-Ups:
- Bug#340443: x11-common: Error in /etc/X11/Xsession - ksh users can't log in from KDM
  - From: David Nusinow <david_nusinow@verizon.net>
- Bug#340443: marked as done (x11-common: Error in /etc/X11/Xsession - ksh users can't log in from KDM)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#340417: xserver-xfree86: mozilla-firefox crash after loading a specific url
Next by Date: Bug#340445: xserver-xfree86: xfree86 [vesa] confirming memory leek
Previous by thread: Bug#340417: xserver-xfree86: mozilla-firefox crash after loading a specific url
Next by thread: Bug#340443: x11-common: Error in /etc/X11/Xsession - ksh users can't log in from KDM
Index(es):
- Date
- Thread