| Deutsch English Français Italiano |
|
<87pljzvd46.fsf@nosuchdomain.example.com> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: Keith Thompson <Keith.S.Thompson+u@gmail.com>
Newsgroups: comp.unix.shell
Subject: Re: Default PATH setting - reduce to something more sensible?
Date: Sun, 02 Feb 2025 20:58:01 -0800
Organization: None to speak of
Lines: 55
Message-ID: <87pljzvd46.fsf@nosuchdomain.example.com>
References: <vm5dei$2c7to$1@dont-email.me> <vmthmu$3bb88$1@news.xmission.com>
<vmtrqk$92b$1@reader2.panix.com> <vmu94j$1q2lp$1@dont-email.me>
<vn05ji$r20$1@reader2.panix.com> <vn0bpf$29qe6$1@dont-email.me>
<871pwr6fe9.fsf@nosuchdomain.example.com>
<vn2ier$2phv1$1@dont-email.me>
<87ed0qba54.fsf@nosuchdomain.example.com>
<20250125211146.219@kylheku.com> <vn5egt$3qdn6$1@dont-email.me>
<874j1lb4fg.fsf@nosuchdomain.example.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Date: Mon, 03 Feb 2025 05:58:03 +0100 (CET)
Injection-Info: dont-email.me; posting-host="10bbb6812bbf5f3cc93ff155f0b4a01f";
logging-data="1178014"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19piSQa/CC5g3gzjQRzwLXo"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cancel-Lock: sha1:j4uPf8OujVIZss0vpBbB6S7TTNk=
sha1:iHL++fkk34/fBhcKZG5K6M6Bzqk=
Bytes: 3729
Keith Thompson <Keith.S.Thompson+u@gmail.com> writes:
> Janis Papanagnou <janis_papanagnou+ng@hotmail.com> writes:
>> On 26.01.2025 06:26, Kaz Kylheku wrote:
> [...]
>>> If someone has, say, "~/bin" in their PATH, ahead of /bin and /usr/bin,
>>> I can put a malicious program in some directory called "~/bin"
>>> somewhere in the filesystem, give that program the name of a common
>>> external utility, and trick the user into changing into that location
>>> where they will run this common command, resolving to my malicious
>>> program.
>>
>> To my best knowledge using '/' as part of a file or directory name is
>> (as the '\0') prohibited by the operating system at a very low level.
>
> Correct, but ...
>
>> So there would, IMO, not be a security hole (i.e. not because of that).
>
> It's not a directory named '~/bin'. It's a directory named 'bin'
> under a directory named '~'.
>
> Bash interprets '~/bin' as a component of $PATH as $HOME/bin .
> Everything(?) else interprets it as a relative path referring to
> a bin subdirectory of a literal '~' subdirectory in the current
> directory.
>
> Hmm. The exploit Kaz discussed involves programs other than
> bash treating '~/bin' as a relative path. But bash itself could
> be affected if $HOME expands to a relative path (I've confirmed
> the behavior). On the other hand, that's less likely to happen.
> Kaz's exploit just requires getting the victim to cd into a specified
> directory; this would also require getting the user to change the
> value of $HOME.
Another interesting tidbit: the GNU `which` command has a "--skip-tilde"
option that tells it to skip elements of $PATH that start with '~'
(and also directories anywhere under $HOME).
From the output of `which --help`:
--skip-tilde Skip directories in PATH that start with a tilde.
From the info documentation:
‘--skip-tilde’
Skip directories in ‘PATH’ that start with a tilde and executables
which reside in the ‘HOME’ directory.
(On Ubuntu, /usr/bin/which is provided by the the "debianutils" package.
I don't see a way to install GNU which other than by building it from
source.)
--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
void Void(void) { Void(); } /* The recursive call of the void */