Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail From: Keith Thompson Newsgroups: comp.unix.shell Subject: Re: Default PATH setting - reduce to something more sensible? Date: Sun, 02 Feb 2025 20:58:01 -0800 Organization: None to speak of Lines: 55 Message-ID: <87pljzvd46.fsf@nosuchdomain.example.com> References: <871pwr6fe9.fsf@nosuchdomain.example.com> <87ed0qba54.fsf@nosuchdomain.example.com> <20250125211146.219@kylheku.com> <874j1lb4fg.fsf@nosuchdomain.example.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Date: Mon, 03 Feb 2025 05:58:03 +0100 (CET) Injection-Info: dont-email.me; posting-host="10bbb6812bbf5f3cc93ff155f0b4a01f"; logging-data="1178014"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19piSQa/CC5g3gzjQRzwLXo" User-Agent: Gnus/5.13 (Gnus v5.13) Cancel-Lock: sha1:j4uPf8OujVIZss0vpBbB6S7TTNk= sha1:iHL++fkk34/fBhcKZG5K6M6Bzqk= Bytes: 3729 Keith Thompson writes: > Janis Papanagnou writes: >> On 26.01.2025 06:26, Kaz Kylheku wrote: > [...] >>> If someone has, say, "~/bin" in their PATH, ahead of /bin and /usr/bin, >>> I can put a malicious program in some directory called "~/bin" >>> somewhere in the filesystem, give that program the name of a common >>> external utility, and trick the user into changing into that location >>> where they will run this common command, resolving to my malicious >>> program. >> >> To my best knowledge using '/' as part of a file or directory name is >> (as the '\0') prohibited by the operating system at a very low level. > > Correct, but ... > >> So there would, IMO, not be a security hole (i.e. not because of that). > > It's not a directory named '~/bin'. It's a directory named 'bin' > under a directory named '~'. > > Bash interprets '~/bin' as a component of $PATH as $HOME/bin . > Everything(?) else interprets it as a relative path referring to > a bin subdirectory of a literal '~' subdirectory in the current > directory. > > Hmm. The exploit Kaz discussed involves programs other than > bash treating '~/bin' as a relative path. But bash itself could > be affected if $HOME expands to a relative path (I've confirmed > the behavior). On the other hand, that's less likely to happen. > Kaz's exploit just requires getting the victim to cd into a specified > directory; this would also require getting the user to change the > value of $HOME. Another interesting tidbit: the GNU `which` command has a "--skip-tilde" option that tells it to skip elements of $PATH that start with '~' (and also directories anywhere under $HOME). From the output of `which --help`: --skip-tilde Skip directories in PATH that start with a tilde. From the info documentation: ‘--skip-tilde’ Skip directories in ‘PATH’ that start with a tilde and executables which reside in the ‘HOME’ directory. (On Ubuntu, /usr/bin/which is provided by the the "debianutils" package. I don't see a way to install GNU which other than by building it from source.) -- Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com void Void(void) { Void(); } /* The recursive call of the void */