Security question

classic Classic list List threaded Threaded
12 messages Options
Bob
Reply | Threaded
Open this post in threaded view
|

Security question

Bob
I am fairly new to Linux so I have been reading "A Practical Guide to Linux
Commands, Editors and Shell Programming",  In the book they say that it is a
security issue to place the working directory and/or the home directory at the
front of the PATH.  Is this true?  If it is why does Ubuntu put the home
directory first in the PATH?

--
Robert Blair

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Security question

David Fletcher-5
On Mon, 2013-12-16 at 15:56 -0800, Bob wrote:
> I am fairly new to Linux so I have been reading "A Practical Guide to Linux
> Commands, Editors and Shell Programming",  In the book they say that it is a
> security issue to place the working directory and/or the home directory at the
> front of the PATH.  Is this true?  If it is why does Ubuntu put the home
> directory first in the PATH?
>
> --
> Robert Blair
>

Not seeing that here:-
dave@Tosh-NB520:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
dave@Tosh-NB520:~$



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Security question

David Fletcher-5
In reply to this post by Bob
PS forgot to say I switched this netbook to Mint but I'd be surprised if
that makes a difference to this question.

Dave



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Security question

Rashkae-2
In reply to this post by Bob
On 13-12-16 06:56 PM, Bob wrote:
> I am fairly new to Linux so I have been reading "A Practical Guide to Linux
> Commands, Editors and Shell Programming",  In the book they say that it is a
> security issue to place the working directory and/or the home directory at the
> front of the PATH.  Is this true?  If it is why does Ubuntu put the home
> directory first in the PATH?
>


That's a very good catch.  My system also has the home bin directories
at the start of my PATH, something I never even though to check!

Yes, it's true that this poses a security risk.

Imagine, for example, if someone attacking a linux based system tricked
a hapless user to running a unpriviliged script that wrote a password
spy script to /home/$USER/bin/sudo

Next time you tried to run a sudo command in a shell (maybe following a
tutorial of some kind.), as soon as you typed in your password, you
would instead be sending it to the attacker.

PS: The insecure configuration is caused by /etc/skel/.profile (on my
Raring install), which copies the .profile to all new users on
creation.   This file is part of the bash package.  Why would there even
be a skel/.profile?? shouldn't that be a file in /etc/profile.d or some
such?? Makes no sense to have that file in there.





--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Security question

Colin Watson
In reply to this post by Bob
On Mon, Dec 16, 2013 at 03:56:47PM -0800, Bob wrote:
> I am fairly new to Linux so I have been reading "A Practical Guide to Linux
> Commands, Editors and Shell Programming",  In the book they say that it is a
> security issue to place the working directory and/or the home directory at the
> front of the PATH.  Is this true?  If it is why does Ubuntu put the home
> directory first in the PATH?

$HOME/bin is fine (IMO criticisms of this do not make sense; it's within
your privilege domain).  The problem with putting the current directory
in $PATH is that you might quite reasonably cd to a directory you don't
control.

--
Colin Watson                                       [[hidden email]]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Security question

Colin Watson
In reply to this post by Rashkae-2
On Mon, Dec 16, 2013 at 08:09:14PM -0500, Rashkae wrote:

> On 13-12-16 06:56 PM, Bob wrote:
> >I am fairly new to Linux so I have been reading "A Practical Guide to Linux
> >Commands, Editors and Shell Programming",  In the book they say that it is a
> >security issue to place the working directory and/or the home directory at the
> >front of the PATH.  Is this true?  If it is why does Ubuntu put the home
> >directory first in the PATH?
>
> That's a very good catch.  My system also has the home bin
> directories at the start of my PATH, something I never even though
> to check!
>
> Yes, it's true that this poses a security risk.

No, it really doesn't.  That directory is only writable by your user, so
anyone who can write to that directory can also control your user in
myriad other ways; for example they could use the exact same access to
modify ~/.bashrc.  If they have this access, they're already inside the
security boundary you're trying to defend.

--
Colin Watson                                       [[hidden email]]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Security question

Rashkae-2
On 13-12-17 01:21 PM, Colin Watson wrote:

> On Mon, Dec 16, 2013 at 08:09:14PM -0500, Rashkae wrote:
>> On 13-12-16 06:56 PM, Bob wrote:
>>> I am fairly new to Linux so I have been reading "A Practical Guide to Linux
>>> Commands, Editors and Shell Programming",  In the book they say that it is a
>>> security issue to place the working directory and/or the home directory at the
>>> front of the PATH.  Is this true?  If it is why does Ubuntu put the home
>>> directory first in the PATH?
>> That's a very good catch.  My system also has the home bin
>> directories at the start of my PATH, something I never even though
>> to check!
>>
>> Yes, it's true that this poses a security risk.
> No, it really doesn't.  That directory is only writable by your user, so
> anyone who can write to that directory can also control your user in
> myriad other ways; for example they could use the exact same access to
> modify ~/.bashrc.  If they have this access, they're already inside the
> security boundary you're trying to defend.
>

I already explained the attack method in the e-mail, which you
convenient cut out in you're reply, rather than address it. I agree it's
not something worth panicking over, but it's a very sloppy default
configuration for a distro.


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Security question

Paul Smith-2
On Tue, 2013-12-17 at 13:41 -0500, Rashkae wrote:

> On 13-12-17 01:21 PM, Colin Watson wrote:
> > On Mon, Dec 16, 2013 at 08:09:14PM -0500, Rashkae wrote:
> >> On 13-12-16 06:56 PM, Bob wrote:
> >>> I am fairly new to Linux so I have been reading "A Practical Guide to Linux
> >>> Commands, Editors and Shell Programming",  In the book they say that it is a
> >>> security issue to place the working directory and/or the home directory at the
> >>> front of the PATH.  Is this true?  If it is why does Ubuntu put the home
> >>> directory first in the PATH?
> >> That's a very good catch.  My system also has the home bin
> >> directories at the start of my PATH, something I never even though
> >> to check!
> >>
> >> Yes, it's true that this poses a security risk.
> > No, it really doesn't.  That directory is only writable by your user, so
> > anyone who can write to that directory can also control your user in
> > myriad other ways; for example they could use the exact same access to
> > modify ~/.bashrc.  If they have this access, they're already inside the
> > security boundary you're trying to defend.
> >
>
> I already explained the attack method in the e-mail, which you
> convenient cut out in you're reply, rather than address it. I agree it's
> not something worth panicking over, but it's a very sloppy default
> configuration for a distro.

No, Colin is correct.  If the attacker can trick you into running
something as your own account, hence adding content to ~/bin, then
you've already lost.  There's no point to worrying about it.

Note how Colin points out that the attacker can modify your ~/.bashrc...
so they can add ~/bin to your PATH themselves!  Or they can set up
aliases or shell functions to hide "sudo", "su", "ssh", etc.

From a "level of security" standpoint there's NO benefit (read:
increased security) to not including ~/bin in PATH by default.

".", on the other hand, is a whole different story.


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Security question

Rashkae-2
On 13-12-17 01:55 PM, Paul Smith wrote:

>
> No, Colin is correct.  If the attacker can trick you into running
> something as your own account, hence adding content to ~/bin, then
> you've already lost.  There's no point to worrying about it.
>
> Note how Colin points out that the attacker can modify your ~/.bashrc...
> so they can add ~/bin to your PATH themselves!  Or they can set up
> aliases or shell functions to hide "sudo", "su", "ssh", etc.
>
> >From a "level of security" standpoint there's NO benefit (read:
> increased security) to not including ~/bin in PATH by default.
>
> ".", on the other hand, is a whole different story.
>
>

Allright, fair point.  But to clarify, I'm not suggesting removing ~/bin
from the default PATH.  However, it should be added to the end of the
path, not prepended to the system /bin /sbin.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Security question

C de-Avillez-2



On Tue, Dec 17, 2013 at 1:40 PM, Rashkae <[hidden email]> wrote:

Allright, fair point.  But to clarify, I'm not suggesting removing ~/bin from the default PATH.  However, it should be added to the end of the path, not prepended to the system /bin /sbin.


This is an user choice. ~/bin is *empty* when a new user is created. How it is going to be used is up to the user. I see no security issue in having it at the beginning of $PATH -- in fact, I use it to override program calls when I want to do something different (it is not always you can just alias, or rename, a command call). Of course, I could as well create a -- say -- ~/mybin, add it to the beginning of $PATH, and keep ~/bin at the end. But I think this would just give me more work with minimal, if at all, gain.

OTOH, if you do something like that, you *have* to know what you are doing, and collect the pieces when it breaks. 

So... YMMV.

Cheers,
--
..hggdh..

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Security question

Oliver Grawert
hi,
Am Dienstag, den 17.12.2013, 14:43 -0600 schrieb C de-Avillez:


> On Tue, Dec 17, 2013 at 1:40 PM, Rashkae <[hidden email]>
> wrote:

>         Allright, fair point.  But to clarify, I'm not suggesting
>         removing ~/bin from the default PATH.  However, it should be
>         added to the end of the path, not prepended to the
>         system /bin /sbin.


>
> This is an user choice. ~/bin is *empty* when a new user is created.

nope, ~/bin does not exist at all for a freshly created user...

the snippet in ~/.profile will only add it to your PATH if the user
actively created it (which is why someone in the thread did not see it
at all in his PATH)

cat ~/.profile
...
# set PATH so it includes user's private bin if it exists
if [ -d ~/bin ] ; then
    PATH=~/bin:"${PATH}"
fi
...


ciao
        oli

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security question

Colin Watson
In reply to this post by Rashkae-2
On Tue, Dec 17, 2013 at 01:41:24PM -0500, Rashkae wrote:

> On 13-12-17 01:21 PM, Colin Watson wrote:
> >On Mon, Dec 16, 2013 at 08:09:14PM -0500, Rashkae wrote:
> >>That's a very good catch.  My system also has the home bin
> >>directories at the start of my PATH, something I never even though
> >>to check!
> >>
> >>Yes, it's true that this poses a security risk.
> >
> >No, it really doesn't.  That directory is only writable by your user, so
> >anyone who can write to that directory can also control your user in
> >myriad other ways; for example they could use the exact same access to
> >modify ~/.bashrc.  If they have this access, they're already inside the
> >security boundary you're trying to defend.
>
> I already explained the attack method in the e-mail, which you
> convenient cut out in you're reply, rather than address it.

I did address it; I just didn't feel it necessary to overquote.  Your
"attack vector" is in effect identical to many other ways you can use
the ability to write to the filesystem using a user's filesystem
privileges to attack that user, such as the ~/.bashrc method I noted.
You cannot defend a security boundary that simply does not exist in any
practical sense.

--
Colin Watson                                       [[hidden email]]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users