3

Is using the following kinds of pathnames in $PATH a secure and good practice:

  • empty pathname.

    findutils manual says it is insecure if $PATH contains an empty pathname, and I wonder why?

    Is an empty pathname an absolute or relative pathname?

  • pathnames containing tilde or filename expansions.

    Can a user of $PATH always understand and perform tilde or filename expansions in $PATH like shell?

    If I set the value of PATH in a shell startup script such as ~/.profile, does it matter at all, given that a shell executes the startup file?

    I found one related to tilde expansion https://unix.stackexchange.com/a/154290/674

  • current working directory. See Is it safe to add . to my PATH? How come?

Thanks.

Tim
  • 101,790

2 Answers2

4

If there is an empty element in PATH this refers to '.' and can be seen as insecure.

If the dot or empty element at the end of the PATH, this is not highly insecure, since it would only hit if someone places a binary in a directory that uses a misspelled system binary name.

For CDPATH it is the other way round: it you do not have the dot or empty element, cd will not find subdirectories in the current directory.

The tilde inside a PATH string is not understood. This is why the POSIX standard requires to expand tilde sequences after a colon in the command line when a shell macro is assigned.

Regarding the text you added to your question after I answered: these tilde characters are expanded before the command is executed.

heemayl
  • 56,300
schily
  • 19,173
  • 2
    Related to the first point: https://unix.stackexchange.com/questions/65700/is-it-safe-to-add-to-my-path-how-come – Kusalananda Jun 07 '18 at 16:52
  • Thanks. "If there is an empty element in PATH this refers to '.'" Does this happen only in $PATH or everywhere? – Tim Jun 07 '18 at 18:07
  • 1
    . is insecure no matter where in PATH it appears. People make typos all the time. The classic example is a malicious executable in /tmp called sl. – Reid Jun 07 '18 at 19:32
  • "these tilde characters are expanded before the command is executed." So does it matter whether I use tilde or filename expansions in $PATH? – Tim Jun 07 '18 at 19:53
  • 1
    @Reid mine is grpe – Chris Davies Jun 07 '18 at 20:23
  • I have some question understanding "The tilde inside a PATH string is not understood. This is why the POSIX standard requires to expand tilde sequences after a colon in the command line when a shell macro is assigned." https://unix.stackexchange.com/questions/448521/what-separators-does-the-lexer-of-bash-use-to-break-a-command-into-words – Tim Jun 07 '18 at 20:56
2

Just so others know if they hit this with google.

If you put . in your path and an attacker creates a file called ls in your current working directory that may get executed if it comes up before /bin/ls. That fake ls could be a shell script with rm -rf in it, if . came up in the path first you may unknowingly run that ls when you issue the command and destroy your files.

Joe M
  • 876