3

Is using the following kinds of pathnames in $PATH a secure and good practice:

  • empty pathname.

    findutils manual says it is insecure if $PATH contains an empty pathname, and I wonder why?

    Is an empty pathname an absolute or relative pathname?

  • pathnames containing tilde or filename expansions.

    Can a user of $PATH always understand and perform tilde or filename expansions in $PATH like shell?

    If I set the value of PATH in a shell startup script such as ~/.profile, does it matter at all, given that a shell executes the startup file?

    I found one related to tilde expansion https://unix.stackexchange.com/a/154290/674

  • current working directory. See Is it safe to add . to my PATH? How come?

Thanks.

Improve this question
0

2 Answers 2

Reset to default
4

If there is an empty element in PATH this refers to '.' and can be seen as insecure.

If the dot or empty element at the end of the PATH, this is not highly insecure, since it would only hit if someone places a binary in a directory that uses a misspelled system binary name.

For CDPATH it is the other way round: it you do not have the dot or empty element, cd will not find subdirectories in the current directory.

The tilde inside a PATH string is not understood. This is why the POSIX standard requires to expand tilde sequences after a colon in the command line when a shell macro is assigned.

Regarding the text you added to your question after I answered: these tilde characters are expanded before the command is executed.

Improve this answer
6
  • 2
    Related to the first point: unix.stackexchange.com/questions/65700/… Commented Jun 7, 2018 at 16:52
  • Thanks. "If there is an empty element in PATH this refers to '.'" Does this happen only in $PATH or everywhere? Commented Jun 7, 2018 at 18:07
  • 1
    . is insecure no matter where in PATH it appears. People make typos all the time. The classic example is a malicious executable in /tmp called sl. Commented Jun 7, 2018 at 19:32
  • "these tilde characters are expanded before the command is executed." So does it matter whether I use tilde or filename expansions in $PATH? Commented Jun 7, 2018 at 19:53
  • 1
    @Reid mine is grpe Commented Jun 7, 2018 at 20:23
2

Just so others know if they hit this with google.

If you put . in your path and an attacker creates a file called ls in your current working directory that may get executed if it comes up before /bin/ls. That fake ls could be a shell script with rm -rf in it, if . came up in the path first you may unknowingly run that ls when you issue the command and destroy your files.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.