Newsportal USENET - Re: Default PATH setting - reduce to something more sensible?

Re: Default PATH setting - reduce to something more sensible?

Sujet : Re: Default PATH setting - reduce to something more sensible?
De : Keith.S.Thompson+u (at) *nospam* gmail.com (Keith Thompson)
Groupes : comp.unix.shell
Date : 26. Jan 2025, 23:23:15

Autres entêtes

Organisation : None to speak of
Message-ID : <874j1lb4fg.fsf@nosuchdomain.example.com>
References : 1 2 3 4 5 6 7 8 9 10 11
User-Agent : Gnus/5.13 (Gnus v5.13)

Janis Papanagnou <janis_papanagnou+ng@hotmail.com> writes:

On 26.01.2025 06:26, Kaz Kylheku wrote:

[...]

If someone has, say, "~/bin" in their PATH, ahead of /bin and /usr/bin,
I can put a malicious program in some directory called "~/bin"
somewhere in the filesystem, give that program the name of a common
external utility, and trick the user into changing into that location
where they will run this common command, resolving to my malicious
program.
>
To my best knowledge using '/' as part of a file or directory name is
(as the '\0') prohibited by the operating system at a very low level.

Correct, but ...

So there would, IMO, not be a security hole (i.e. not because of that).

It's not a directory named '~/bin'. It's a directory named 'bin'
under a directory named '~'.

Bash interprets '~/bin' as a component of $PATH as $HOME/bin .
Everything(?) else interprets it as a relative path referring to
a bin subdirectory of a literal '~' subdirectory in the current
directory.

Hmm. The exploit Kaz discussed involves programs other than
bash treating '~/bin' as a relative path. But bash itself could
be affected if $HOME expands to a relative path (I've confirmed
the behavior). On the other hand, that's less likely to happen.
Kaz's exploit just requires getting the victim to cd into a specified
directory; this would also require getting the user to change the
value of $HOME.

--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
void Void(void) { Void(); } /* The recursive call of the void */

Les messages affichés proviennent d'usenet.

Date	Sujet	#	Auteur
14 Jan 25	Re: Default PATH setting - reduce to something more sensible?	84	Dan Cross
14 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Richard Harnden
20 Jan 25	Re: Default PATH setting - reduce to something more sensible?	82	Wayne
20 Jan 25	Re: Default PATH setting - reduce to something more sensible?	81	Janis Papanagnou
21 Jan 25	Re: Default PATH setting - reduce to something more sensible?	80	Axel Reichert
21 Jan 25	Re: Default PATH setting - reduce to something more sensible?	7	Janis Papanagnou
22 Jan 25	Soft-links to binaries (was Re: Default PATH setting)	4	Janis Papanagnou
22 Jan 25	Re: Soft-links to binaries (was Re: Default PATH setting)	3	Keith Thompson
22 Jan 25	Re: Soft-links to binaries (was Re: Default PATH setting)	1	Lawrence D'Oliveiro
23 Jan 25	Re: Soft-links to binaries (was Re: Default PATH setting)	1	Janis Papanagnou
25 Jan 25	PATH for GUI applications (was: Default PATH setting - reduce to something more sensible?)	2	Axel Reichert
26 Jan 25	Re: PATH for GUI applications (was: Default PATH setting - reduce to something more sensible?)	1	Lawrence D'Oliveiro
22 Jan 25	Re: Default PATH setting - reduce to something more sensible?	72	Geoff Clare
22 Jan 25	Re: Default PATH setting - reduce to something more sensible?	71	Kaz Kylheku
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	70	Geoff Clare
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	69	Kenny McCormack
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	52	Dan Cross
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	51	Janis Papanagnou
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Keith Thompson
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Keith Thompson
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Kaz Kylheku
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Jerry Peters
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	marrgol
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	43	Dan Cross
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	42	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	14	Dan Cross
25 Jan 25	Re: Default PATH setting - reduce to something more sensible?	5	Janis Papanagnou
25 Jan 25	Re: Default PATH setting - reduce to something more sensible?	4	Dan Cross
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Keith Thompson
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Dan Cross
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	8	Keith Thompson
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Janis Papanagnou
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Christian Weisgerber
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
26 Jan 25	Early history of Bash (was: Re: Default PATH setting - reduce to something more sensible?)	4	Christian Weisgerber
27 Jan 25	Re: Early history of Bash	1	Keith Thompson
27 Jan 25	Re: Early history of Bash	2	Keith Thompson
27 Jan 25	Re: Early history of Bash	1	Lawrence D'Oliveiro
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	27	Keith Thompson
25 Jan 25	Re: Default PATH setting - reduce to something more sensible?	26	Janis Papanagnou
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	25	Keith Thompson
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	23	Kaz Kylheku
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	22	Janis Papanagnou
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Kaz Kylheku
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Keith Thompson
3 Feb 25	Re: Default PATH setting - reduce to something more sensible?	2	Keith Thompson
3 Feb 25	Re: Default PATH setting - reduce to something more sensible?	1	Kaz Kylheku
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	16	Lawrence D'Oliveiro
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Kenny McCormack
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	11	Alexis
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Kenny McCormack
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Alexis
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	8	Lawrence D'Oliveiro
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	7	Keith Thompson
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Kaz Kylheku
27 Jan 25	Arbitrary characters in filenames (was Re: Default PATH setting ...)	2	Janis Papanagnou
27 Jan 25	Re: Arbitrary characters in filenames (was Re: Default PATH setting ...)	1	Kaz Kylheku
28 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Lawrence D'Oliveiro
28 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Keith Thompson
28 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Kenny McCormack
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Janis Papanagnou
28 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Lawrence D'Oliveiro
27 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Kaz Kylheku
26 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	14	Kaz Kylheku
23 Jan 25	Re: Default PATH setting - reduce to something more sensible?	13	Keith Thompson
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	5	Keith Thompson
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	4	Kaz Kylheku
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	3	Keith Thompson
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Lawrence D'Oliveiro
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Keith Thompson
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	7	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	6	Dan Cross
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	5	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Dan Cross
25 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Keith Thompson
25 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Janis Papanagnou
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	2	Geoff Clare
24 Jan 25	Re: Default PATH setting - reduce to something more sensible?	1	Kenny McCormack