Re: Default PATH setting - reduce to something more sensible?

Keith Thompson <Keith.S.Thompson+u@gmail.com> writes:

Janis Papanagnou <janis_papanagnou+ng@hotmail.com> writes:

On 26.01.2025 06:26, Kaz Kylheku wrote:

[...]

If someone has, say, "~/bin" in their PATH, ahead of /bin and /usr/bin,
I can put a malicious program in some directory called "~/bin"
somewhere in the filesystem, give that program the name of a common
external utility, and trick the user into changing into that location
where they will run this common command, resolving to my malicious
program.

>
To my best knowledge using '/' as part of a file or directory name is
(as the '\0') prohibited by the operating system at a very low level.

>
Correct, but ...
>

So there would, IMO, not be a security hole (i.e. not because of that).

>
It's not a directory named '~/bin'.  It's a directory named 'bin'
under a directory named '~'.
>
Bash interprets '~/bin' as a component of $PATH as $HOME/bin .
Everything(?) else interprets it as a relative path referring to
a bin subdirectory of a literal '~' subdirectory in the current
directory.
>
Hmm.  The exploit Kaz discussed involves programs other than
bash treating '~/bin' as a relative path.  But bash itself could
be affected if $HOME expands to a relative path (I've confirmed
the behavior).  On the other hand, that's less likely to happen.
Kaz's exploit just requires getting the victim to cd into a specified
directory; this would also require getting the user to change the
value of $HOME.

Another interesting tidbit: the GNU `which` command has a "--skip-tilde"
option that tells it to skip elements of $PATH that start with '~'
(and also directories anywhere under $HOME).

From the output of `which --help`:

    --skip-tilde     Skip directories in PATH that start with a tilde.

From the info documentation:

    ‘--skip-tilde’
         Skip directories in ‘PATH’ that start with a tilde and executables
         which reside in the ‘HOME’ directory.

(On Ubuntu, /usr/bin/which is provided by the the "debianutils" package.
I don't see a way to install GNU which other than by building it from
source.)

--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
void Void(void) { Void(); } /* The recursive call of the void */