Prev: Says it all?
Next: Knode double-posting (was Re: OT: Newbie question: Currentdirectory in path?)
From: HoneyMonster on 15 Jul 2010 11:07
Sorry if this is a FAQ; I am new to Slackware (but not to Unix/Linux).

I've installed Slackware 13.1.0 (64 bit), in case that makes any
difference. I am having a look around at the default installation, before
trying to do anything meaningful with it.

I notice that by default, for non-root users, the current directory is
put into the path. I'm not sure that's a good idea, so I edited /etc/
profile and commented out that part.

Two questions: Is my concern warranted, and is that the 'best practice'
fix?

Thanks.
From: Lew Pitcher on 15 Jul 2010 11:33
On July 15, 2010 11:07, in alt.os.linux.slackware, someone(a)someplace.invalid
wrote:

> Sorry if this is a FAQ; I am new to Slackware (but not to Unix/Linux).
>
> I've installed Slackware 13.1.0 (64 bit), in case that makes any
> difference. I am having a look around at the default installation, before
> trying to do anything meaningful with it.
>
> I notice that by default, for non-root users, the current directory is
> put into the path. I'm not sure that's a good idea, so I edited /etc/
> profile and commented out that part.
>
> Two questions: Is my concern warranted, and is that the 'best practice'
> fix?

Let's take the questions one at a time...

Is your concern warranted?
Yes, but with caveats.

Placing /any/ uncontrolled directory in the PATH is a questionable practice.
If a malicious user places a trojan application into that uncontrolled
directory, there is a possibility that an unsuspecting user could
inadvertantly execute that trojan rather than the intended safe
application. If the trojan's directory is not in the PATH, then the user
must /explicitly/ name the directory when starting the app, and
thus /should be/ aware of the dangers.

But, given that a user can execute an app (trojan or not) by using a
qualified path to the binary, the danger isn't one of technical protection,
but is one of end-user education. If /home/blackhat/bin/ps is a trojan,
there is nothing within the system that protects the whitehat user from it,
other than the *knowledge* of it's location. If user blackhat tells user
whitehat that /home/blackhat/bin/ps is a "better ps", and user whitehat
explicitly runs /home/blackhat/bin/ps, all bets are off. There is no
explicit system component that stops such behaviour.

So, the danger is one of lack of knowledge, not of placement in the PATH.

The default Slackware profile puts the cwd at the end of the $PATH, /after/
all the system standard directories. For cwd to be a problem, the blackhat
must name his trojan a name that does not exist within the standard
directories (i.e. "Ps" rather than "ps") and hope for a mis-type, or he
must convince the whitehat user to run the binary with an explicit path of
some sort (i.e. "./ps").

So,
- no cwd in the path is more secure than cwd in the path
- cwd at the end of the path is more secure than cwd elsewhere in the path,
- cwd at the head of the path is definitely insecure
And all this security issue is moot if the user is complacent about
security.


Is this the best practice fix?

I'd say so.

If the end-user wants cwd in his PATH, he can easily set it up as part of
his personal .profile (~/.profile). If the end-user doesn't want cwd in his
PATH, removing it is a bit more complex. And if the end-user doesn't care
(or doesn't know to care), then he won't miss cwd in the PATH.

Just my two cents
--
Lew Pitcher
Master Codewright & JOAT-in-training | Registered Linux User #112576
Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/
---------- Slackware - Because I know what I'm doing. ------


From: Sylvain Robitaille on 15 Jul 2010 11:50
HoneyMonster wrote:

> I notice that by default, for non-root users, the current directory is
> put into the path. I'm not sure that's a good idea, so I edited /etc/
> profile and commented out that part.
>
> Two questions: Is my concern warranted, and is that the 'best practice'
> fix?

Yes and yes.

As has been pointed out, Slackware puts '.' at the *end* of the path so
under normal circumstances it shouldn't cause harm, but that's not to
say it wouldn't still be better to not have it there at all. The exact
change you made is among the first things I do after a fresh system
installation.

--
----------------------------------------------------------------------
Sylvain Robitaille syl(a)encs.concordia.ca

Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------
From: Mike Jones on 15 Jul 2010 12:24
Responding to Sylvain Robitaille:

> HoneyMonster wrote:
>
>> I notice that by default, for non-root users, the current directory is
>> put into the path. I'm not sure that's a good idea, so I edited /etc/
>> profile and commented out that part.
>>
>> Two questions: Is my concern warranted, and is that the 'best practice'
>> fix?
>
> Yes and yes.
>
> As has been pointed out, Slackware puts '.' at the *end* of the path so
> under normal circumstances it shouldn't cause harm, but that's not to
> say it wouldn't still be better to not have it there at all. The exact
> change you made is among the first things I do after a fresh system
> installation.



This sounds like a sensible thing to do, so...

Why is it the default?

....and\or

Why not change it accordingly in the next release?

Has anybody found a /dis/advantage to this edit?

--
*=( http://www.thedailymash.co.uk/
*=( For all your UK news needs.
From: Loki Harfagr on 15 Jul 2010 13:10
Thu, 15 Jul 2010 16:24:57 +0000, Mike Jones did cat :

> Responding to Sylvain Robitaille:
>
>> HoneyMonster wrote:
>>
>>> I notice that by default, for non-root users, the current directory is
>>> put into the path. I'm not sure that's a good idea, so I edited /etc/
>>> profile and commented out that part.
>>>
>>> Two questions: Is my concern warranted, and is that the 'best
>>> practice' fix?
>>
>> Yes and yes.
>>
>> As has been pointed out, Slackware puts '.' at the *end* of the path so
>> under normal circumstances it shouldn't cause harm, but that's not to
>> say it wouldn't still be better to not have it there at all. The exact
>> change you made is among the first things I do after a fresh system
>> installation.
>
>
>
> This sounds like a sensible thing to do, so...
>
> Why is it the default?

or why is it, at the moment, the default as it wasn't some times before?

>
> ...and\or
>
> Why not change it accordingly in the next release?
>
> Has anybody found a /dis/advantage to this edit?

well, no, especially since most of my users area mounts are 'noexec',
but I'd admit that could be a pita for the occasional user. It's
more like a second level security reflex, like when I want to
shoot my foot with that rope not only should I think about the
security trigger but I also must be clean enough to remember where did
I put the bullets and then remember how to load them in the rope.

Now, you also may like to add specificaly tuned umask for users
but I think that discussion is already at work in the other lane ;-)
 |  Next  |  Last
Pages: 1 2 3
Prev: Says it all?
Next: Knode double-posting (was Re: OT: Newbie question: Currentdirectory in path?)