| Deutsch English Français Italiano |
|
<874j1lb4fg.fsf@nosuchdomain.example.com> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: Keith Thompson <Keith.S.Thompson+u@gmail.com>
Newsgroups: comp.unix.shell
Subject: Re: Default PATH setting - reduce to something more sensible?
Date: Sun, 26 Jan 2025 14:23:15 -0800
Organization: None to speak of
Lines: 36
Message-ID: <874j1lb4fg.fsf@nosuchdomain.example.com>
References: <vm5dei$2c7to$1@dont-email.me> <vmthmu$3bb88$1@news.xmission.com>
<vmtrqk$92b$1@reader2.panix.com> <vmu94j$1q2lp$1@dont-email.me>
<vn05ji$r20$1@reader2.panix.com> <vn0bpf$29qe6$1@dont-email.me>
<871pwr6fe9.fsf@nosuchdomain.example.com>
<vn2ier$2phv1$1@dont-email.me>
<87ed0qba54.fsf@nosuchdomain.example.com>
<20250125211146.219@kylheku.com> <vn5egt$3qdn6$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain
Injection-Date: Sun, 26 Jan 2025 23:23:17 +0100 (CET)
Injection-Info: dont-email.me; posting-host="fe08763d6b1c9b85d57c56913c7d5466";
logging-data="179867"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+j5YnSmGB1UUvD5FVNnjoU"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cancel-Lock: sha1:CnwY+Yb/19Op85DEsMS/nhNLJoA=
sha1:5B2tOltmxyB/aZRak/+fSUkM4xk=
Bytes: 2883
Janis Papanagnou <janis_papanagnou+ng@hotmail.com> writes:
> On 26.01.2025 06:26, Kaz Kylheku wrote:
[...]
>> If someone has, say, "~/bin" in their PATH, ahead of /bin and /usr/bin,
>> I can put a malicious program in some directory called "~/bin"
>> somewhere in the filesystem, give that program the name of a common
>> external utility, and trick the user into changing into that location
>> where they will run this common command, resolving to my malicious
>> program.
>
> To my best knowledge using '/' as part of a file or directory name is
> (as the '\0') prohibited by the operating system at a very low level.
Correct, but ...
> So there would, IMO, not be a security hole (i.e. not because of that).
It's not a directory named '~/bin'. It's a directory named 'bin'
under a directory named '~'.
Bash interprets '~/bin' as a component of $PATH as $HOME/bin .
Everything(?) else interprets it as a relative path referring to
a bin subdirectory of a literal '~' subdirectory in the current
directory.
Hmm. The exploit Kaz discussed involves programs other than
bash treating '~/bin' as a relative path. But bash itself could
be affected if $HOME expands to a relative path (I've confirmed
the behavior). On the other hand, that's less likely to happen.
Kaz's exploit just requires getting the victim to cd into a specified
directory; this would also require getting the user to change the
value of $HOME.
--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
void Void(void) { Void(); } /* The recursive call of the void */