Re: (OT?) Re: Zsh configuration files

["Matt Wozniski" <godlygeek@xxxxxxxxx>]

On Tue, Nov 25, 2008 at 1:26 PM, Benjamin R. Haskellwrote:
> On Tue, 25 Nov 2008, Allan Caffee wrote:
>
>> On Mon, Nov 24, 2008 at 5:33 PM, Benjamin R. Haskell
>> wrote:
>>
>>> Long ago, I set some things up for easily sharing my Zsh startup scripts
>>> between various computers I use. I did most of this when I was still fairly
>>> new to Zsh, so some things might have easier/better ways to do them, but
>>> this is how I set mine up. Some features:
>>>
>>> 1. Automatically runs any files matching .zsh_* in my home dir, excluding
>>> vim swap files
>>>
>>> 2. For running as root, I can just link my normal-user .zshrc and .zshenv
>>> files, and it'll detect that they're linked, and use the .zsh_* files from
>>> my normal-user directory
>>
>> That sounds really dangerous.  You're offering a hook for someone to
>> execute arbitrary code as root.  If someone breaks your user account they
>> could for example add a file in your home directory that resets the root
>> password or does some other really mean things.  If you want root to have
>> the same setup as your regular user you should put it somewhere that only
>> root can write.
>
> I was thinking about that as I posted to the list, and since you pointed it
> out, maybe I'll get some general feedback... (sorry if this is too
> off-topic)
>
> Like many users (I suspect), most of the systems I'm talking about here are
> essentially single-user systems. I log in under a normal user account, but
> the only reason not to log in as root is 'rm -rf /' protection. (i.e. so as
> to not cause unintentional damage.) On other systems, either:
>
> 1) I don't have root access, so this doesn't apply
>
> 2) The systems are properly secured (running/behind a firewall,
> non-essential services are off, passwords are strong, system is kept
> up-to-date, and I only ever log in to my normal account via SSH with keys)
> [modulo, of course, this discussion]
>
> Am I really setting myself up for badness via this automated .zsh_* stuff?

Yes.  Automatically running code as root that can be written by a
regular user is a very bad idea.

> And even beyond those reasons... I always got the impression that someone
> capable of using exploit X to break into a normal user's account had a
> pretty low barrier to using exploit Y to elevate their privileges to root.
> Is that not generally the case? [i.e. a system is only secure as its least
> secure user]

That's not really true at all.  It's much harder to get root
privileges with a user regular account than to break into the
system...  and with a setup like yours, you make it much much easier
for someone to run arbitrary code as root, and compromise the system
entirely.  The fact that extracting a tarball in $HOME that extracts a
(hidden!) file name .zsh_* can cause a script to be run as root that
can do anything at all to the system is very, very bad.

~Matt