Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: Thoughts on protecting against PATH interception via user owned profiles



Andrew Parker wrote on Sun, 15 Dec 2019 07:57 +00:00:
> Consider Homebrew. The installation script calls sudo. The root shell 
> inherits my user's env.

There's your problem.  Don't run commands as root with the user's
environment, or with input from user-owned files, without auditing
them first.  (There's a trade-off between security and convenience.)

> So my view is that a defence in depth strategy is the best approach. A 
> relatively cheap and simple change would, at least as far as I can see, 
> potentially add a lot of benefit to a lot of people.

Again, an attacker with the assumed capabilities has so many ways
compromise your setup besides editing your dotfiles that protecting just
them would be completely pointless.

Your larger error here is that you're employing a blacklist approach
rather than a whitelist approach: you found an attack so you're trying
to block it.  This approach doesn't scale because there's always the
possibility of an attack you haven't thought of.  The right approach is
not to prove that specific attacks can't be mounted, but to prove that
*no* outcome can be achieved that isn't permitted.

In any case, we're getting _way_ off topic here.  This list is for
discussing zsh development.  If you'd like to propose implementing
a taint mode in zsh, that would be on topic — but as I said, it would have
to be a _lot_ more comprehensive than just calling fstatat(2) on
dotfiles.  Discussing security in general, however, is better done
elsewhere.

Cheers,

Daniel



Messages sorted by: Reverse Date, Date, Thread, Author