Re: where to submit low security vulnerability in .profile?
On Mon, 19 Jun 2017, The Wanderer wrote:
> On 2017-06-19 at 11:59, Henrique de Moraes Holschuh wrote:
> > On Mon, 19 Jun 2017, Greg Wooledge wrote:
> >> You appear to be claiming that putting ~/bin in PATH is somehow
> >> inherently unsafe. I don't agree. Under what conditions would
> >> this result in any kind of privilege escalation?
> >
> > The OP was complaining that ~/bin was being *prepended* to PATH,
> > instead of appended.
> >
> > When you prepend ~/bin to PATH, it allows one to have a shell script
> > such as ~/bin/sudo that will be run instead of the system's sudo.
> > Then, some use of social engineering might get an admin or some other
> > user to type in a password to run a command using su or sudo.
> >
> > That said, no, it is not usually considered a security
> > vulnerability, because NOT using the full path to run commands such
> > as "su" and "sudo" in the first place IS considered gross
> > negligence.
> >
> > So, train your fingers! There is no "su", it *is* /bin/su. And
> > there is no "sudo", it *is* /usr/bin/sudo. Never trust aliases,
> > PATH, or anything of the like for this stuff.
>
> Wouldn't that seem to be an argument against installing the real su,
> sudo, and so forth, _anywhere_ in $PATH? If running them in any other
> way than with the full explicit path is such bad security practice, then
> why do we install them in such a way as to facilitate doing so?
It would. I don't know of anyone that does that, though, because it is
too painful to be worth it.
The fact is, if we remove them, we will get a lot of complains, and it
will break someone's scripts for sure (note: if these scripts set PATH
to something trusted, they're *not* unsafe).
Besides, it is valid for anything that will ask for passwords or
sensitive data.
One also has to pay attention to not ever "help the logged-in user"
under a terminal tap, rogue screen/tmux session, "script", etc...
--
Henrique Holschuh
Reply to: