Newsportal USENET - Re: Default PATH setting - reduce to something more sensible?

Re: Default PATH setting - reduce to something more sensible?

Sujet : Re: Default PATH setting - reduce to something more sensible?
De : janis_papanagnou+ng (at) *nospam* hotmail.com (Janis Papanagnou)
Groupes : comp.unix.shell
Date : 26. Jan 2025, 14:49:16

Autres entêtes

Organisation : A noiseless patient Spider
Message-ID : <vn5egt$3qdn6$1@dont-email.me>
References : 1 2 3 4 5 6 7 8 9 10
User-Agent : Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

On 26.01.2025 06:26, Kaz Kylheku wrote:

It's a feature that (if used) leaks tildes into child processes via
the environment variable. Path resultion in child processes, if it
reaches a PATH element with a tilde, will somehow process that tilde.

I just tried this experiment. I made a directory named ~ and put ~:
as the leading element of PATH. I put a program called "foo" that
directory.

Surely enough, I can run "foo" from the parent directory above.

The exec functions treat ~ as an ordinary path component.

(I cannot do that out of Bash, which processes the tilde, but
the 'p' family of the exec functions will find it!)

This is a problem similar to "." being in PATH.

[ Above context preserved for integrity. ]

If someone has, say, "~/bin" in their PATH, ahead of /bin and /usr/bin,
I can put a malicious program in some directory called "~/bin"
somewhere in the filesystem, give that program the name of a common
external utility, and trick the user into changing into that location
where they will run this common command, resolving to my malicious
program.

To my best knowledge using '/' as part of a file or directory name is
(as the '\0') prohibited by the operating system at a very low level.
So there would, IMO, not be a security hole (i.e. not because of that).

If we regard this as a security hole, that atually raises the priority
and bolsters the argument that it ought to be removed even if it
breaks some users, perhaps through a process of noisy deprecation.

Furhermore, the case can be made that the exec stuff in the Linux kernel
or C libraries should be patched with a check against components with a
leading tilde.

Janis

Les messages affichés proviennent d'usenet.

Date	Sujet	#	Auteur
14 Jan 25	Re: Default PATH setting - reduce to something more sensible?	84	Dan Cross
14 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Richard Harnden
20 Jan 25	Re: Default PATH setting - reduce to something more sensible?	82	Wayne
20 Jan 25	Re: Default PATH setting - reduce to something more sensible?	81	Janis Papanagnou
21 Jan 25	Re: Default PATH setting - reduce to something more sensible?	80	Axel Reichert
21 Jan 25	Re: Default PATH setting - reduce to something more sensible?	7	Janis Papanagnou
22 Jan 25	Soft-links to binaries (was Re: Default PATH setting)	4	Janis Papanagnou
22 Jan 25	Re: Soft-links to binaries (was Re: Default PATH setting)	3	Keith Thompson
22 Jan 25	Re: Soft-links to binaries (was Re: Default PATH setting)	1	Lawrence D'Oliveiro
23 Jan 25	Re: Soft-links to binaries (was Re: Default PATH setting)	1	Janis Papanagnou
25 Jan 25	PATH for GUI applications (was: Default PATH setting - reduce to something more sensible?)	2	Axel Reichert
26 Jan 25	Re: PATH for GUI applications (was: Default PATH setting - reduce to something more sensible?)	1	Lawrence D'Oliveiro
22 Jan 25	Re: Default PATH setting - reduce to something more sensible?	72	Geoff Clare
22 Jan 25	Re: Default PATH setting - reduce to something more sensible?	71	Kaz Kylheku
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	70	Geoff Clare
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	69	Kenny McCormack
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	52	Dan Cross
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	51	Janis Papanagnou
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Keith Thompson
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Keith Thompson
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Kaz Kylheku
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Jerry Peters
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	marrgol
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	43	Dan Cross
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	42	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	14	Dan Cross
25 Jan 25	Re: Default PATH setting - reduce to something more sensible?	5	Janis Papanagnou
25 Jan 25	Re: Default PATH setting - reduce to something more sensible?	4	Dan Cross
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Keith Thompson
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Dan Cross
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	8	Keith Thompson
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Janis Papanagnou
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Christian Weisgerber
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
26 Jan 25	Early history of Bash (was: Re: Default PATH setting - reduce to something more sensible?)	4	Christian Weisgerber
27 Jan 25	Re: Early history of Bash	1	Keith Thompson
27 Jan 25	Re: Early history of Bash	2	Keith Thompson
27 Jan 25	Re: Early history of Bash	1	Lawrence D'Oliveiro
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	27	Keith Thompson
25 Jan 25	Re: Default PATH setting - reduce to something more sensible?	26	Janis Papanagnou
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	25	Keith Thompson
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	23	Kaz Kylheku
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	22	Janis Papanagnou
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Kaz Kylheku
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Keith Thompson
3 Feb 25	Re: Default PATH setting - reduce to something more sensible?	2	Keith Thompson
3 Feb 25	Re: Default PATH setting - reduce to something more sensible?	1	Kaz Kylheku
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	16	Lawrence D'Oliveiro
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Kenny McCormack
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	11	Alexis
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Kenny McCormack
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Alexis
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	8	Lawrence D'Oliveiro
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	7	Keith Thompson
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Kaz Kylheku
27 Jan 25	Arbitrary characters in filenames (was Re: Default PATH setting ...)	2	Janis Papanagnou
27 Jan 25	Re: Arbitrary characters in filenames (was Re: Default PATH setting ...)	1	Kaz Kylheku
28 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Lawrence D'Oliveiro
28 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Keith Thompson
28 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Kenny McCormack
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Janis Papanagnou
28 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Lawrence D'Oliveiro
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Kaz Kylheku
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	14	Kaz Kylheku
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	13	Keith Thompson
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	5	Keith Thompson
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	4	Kaz Kylheku
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Keith Thompson
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Lawrence D'Oliveiro
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Keith Thompson
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	7	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	6	Dan Cross
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	5	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Dan Cross
25 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Keith Thompson
25 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Geoff Clare
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Kenny McCormack