Thoughts on protecting against PATH interception via user owned profiles

[Andrew Parker <andrew.j.c.parker@xxxxxxxxx>]

Hey guys,

I'm curious to hear the community's thoughts on the threat of PATH
interception in shells. Specifically, it's very easy for a malicious
process, running as regularly user, to interfere with your profiles and
there's no fool-proof way to protect against this. For example, a malicious
binary can easily change a profile to insert something into your PATH. Once
that's done a privilege escalation is extremely feasible due to the vast
number of tools that rely on your path and which don't specify full paths
to binaries they in turn shell out to.

My question is whether zsh (and other shells) would ever be interested in
implementing a solution to this. My suggestion would be something like the
following (although there may be better alternatives):

* zsh uses a config file in e.g. /etc directory which much be owned and
only writable by root
* The config can be used enable "protected profiles"
* Once protected profiles are enabled, only profiles which are owned and
only writable by root can be sourced on startup

N.B. I'm only proposing this config to allow backwards compatibility for
users who don't want this or might face unexpected issues.

I've written some gory details here in this article:
http://modelephant.net/?p=95. Sorry for the self-promotion, that's actually
not my intent. However, I can't really write things down any clearer than I
have done there.

Thoughts welcome on this, in particular

* Did I miss a trick with my analysis?
* Is zsh somehow already protected (I've only really stared hard at bash)
* Is anyone else worried about this sort of threat?
* Does anyone care? :)

Andrew