Re: rsync --delete

To: debian-user@lists.debian.org
Subject: Re: rsync --delete
From: The Wanderer <wanderer@fastmail.fm>
Date: Tue, 20 Oct 2020 08:32:12 -0400
Message-id: <[🔎] 5F8ED8CC.8000103@fastmail.fm>
In-reply-to: <[🔎] 20201020114917.GZ902@eeg.ccf.org>
References: <[🔎] 20201016220942.GA4949@MikesPI> <[🔎] 205014f0-bdd7-b7d4-6497-df39ca1624b9@holgerdanske.com> <[🔎] 20201019115527.GN902@eeg.ccf.org> <[🔎] 6689b3ed-5052-19ba-cdab-4f42cd11ffa4@holgerdanske.com> <[🔎] 20201020114917.GZ902@eeg.ccf.org>

On 2020-10-20 at 07:49, Greg Wooledge wrote:

> On Mon, Oct 19, 2020 at 08:11:01PM -0700, David Christensen wrote:
>
>> On 2020-10-19 05:00, Greg Wooledge wrote:
>> > using an explicit /usr/bin/rsync is sketchy at best.  You
>> > should already have /usr/bin in your PATH
>> 
>> AIUI using absolute paths for tools in shell scripts is a security best
>> practice -- it helps defend against attacks where PATH is compromised and/or
>> trojaned system tools are inserted into directories at the front of PATH.
> 
> It's not "best practice", and it does not provide any security against
> a malevolent execution environment.  All it really does is introduce
> failures when the location of a tool changes.  (See all the instances
> of failures when new buster installations moved some tools from /bin
> to /usr/bin, and scripts were updated to use things like /usr/bin/mkdir,
> which then fails on *upgraded* buster systems.)
> 
> To illustrate why it doesn't provide any security protection:
> 
> unicorn:~$ function /bin/rm { echo "haha loser"; }
> unicorn:~$ /bin/rm xyzzy
> haha loser
> 
> Remember, bash can accept functions that are imported from the environment,
> and bash's functions have an extremely liberal allowed set of characters.

From a quick test, that seems to only matter if you actually import the
functions from the environment somehow.

$ cat /tmp/test-function-script.sh
#/bin/bash

/home/wanderer/bin/abecedarian.sh
$ function /home/wanderer/bin/abecedarian.sh { echo "nope"; }
$ abecedarian.sh
Usage: /home/wanderer/bin/abecedarian.sh /path/to/wordlist
$ /home/wanderer/bin/abecedarian.sh
nope
$ /tmp/test-function-script.sh
Usage: /home/wanderer/bin/abecedarian.sh /path/to/wordlist

If I'm parsing that correctly, the full-path invocation from within the
script doesn't seem to pick up the function definition from the outside
session.

I imagine there's probably some scenario that might occur outside of
intentional arrangement in which that definition would in fact be picked
up within the script; can you outline an exact reproducer scenario for
what you're thinking of?

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man.         -- George Bernard Shaw

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: rsync --delete
  - From: Greg Wooledge <wooledg@eeg.ccf.org>

References:
- rsync --delete
  - From: Mike McClain <mike.junk.46@att.net>
- Re: rsync --delete
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: rsync --delete
  - From: Greg Wooledge <wooledg@eeg.ccf.org>
- Re: rsync --delete
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: rsync --delete
  - From: Greg Wooledge <wooledg@eeg.ccf.org>

Prev by Date: Re: gmail settings
Next by Date: Re: rsync --delete
Previous by thread: Re: rsync --delete
Next by thread: Re: rsync --delete
Index(es):
- Date
- Thread