From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id b5e607c1 for ; Mon, 16 Dec 2019 04:11:28 +0000 (UTC) Received: (qmail 16614 invoked by alias); 16 Dec 2019 04:11:23 -0000 Mailing-List: contact zsh-users-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Users List List-Post: List-Help: List-Unsubscribe: X-Seq: 24555 Received: (qmail 26580 invoked by uid 1010); 16 Dec 2019 04:11:23 -0000 X-Qmail-Scanner-Diagnostics: from wout1-smtp.messagingengine.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.102.1/25663. spamassassin: 3.4.2. Clear:RC:0(64.147.123.24):SA:0(-2.6/5.0):. Processed in 0.708113 secs); 16 Dec 2019 04:11:23 -0000 X-Envelope-From: d.s@daniel.shahaf.name X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: none (ns1.primenet.com.au: domain at daniel.shahaf.name does not designate permitted sender hosts) X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrvddtgedgieeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjfgesthdttddttdervdenucfhrhhomhepffgrnhhi vghlucfuhhgrhhgrfhcuoegurdhssegurghnihgvlhdrshhhrghhrghfrdhnrghmvgeqne cukfhppeejledrudektddrheejrdduudelnecurfgrrhgrmhepmhgrihhlfhhrohhmpegu rdhssegurghnihgvlhdrshhhrghhrghfrdhnrghmvgenucevlhhushhtvghrufhiiigvpe dt X-ME-Proxy: Date: Mon, 16 Dec 2019 04:10:46 +0000 From: Daniel Shahaf To: Zsh Users Cc: Andrew Parker Subject: Re: Thoughts on protecting against PATH interception via user owned profiles Message-ID: <20191216041046.u2hwnkfxdfqer7io@tarpaulin.shahaf.local2> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) Roman Perepelitsa wrote on Sun, Dec 15, 2019 at 09:41:14 +0100: > On Sun, Dec 15, 2019 at 7:29 AM Andrew Parker > wrote: > > My question is whether zsh (and other shells) would ever be interested in > > implementing a solution to this. My suggestion would be something like the > > following (although there may be better alternatives): > > > > * zsh uses a config file in e.g. /etc directory which much be owned and > > only writable by root > > * The config can be used enable "protected profiles" > > * Once protected profiles are enabled, only profiles which are owned and > > only writable by root can be sourced on startup > > You can do this by creating /etc/zshenv (owned by root) with the > following content (untested): > > [[ -o no_rcs ]] && return > > () { > emulate -L zsh -o extended_glob > local file files=(zshenv) > [[ -o login ]] && files+=(zprofile zlogin zlogout) > [[ -o interactive ]] && files+=(zshrc) > for file in ${ZDOTDIR:-~}/.$^files; do > [[ ! -f $file || -n $file(#qNu0g0^W) ]] && continue > # Either not owned by root:root or world writable. > echo -E - "skipping zsh user rcs because ${(q)file} is tainted" >&2 > setopt no_rcs > return 1 # alternatively: exit 1 > done > } > This piece of code should not be used in production; it is insecure. > This checks whether any of the user rc files are tainted (either not > owned by root:root or world-writable) and unsets rc option if so. This > will prevent zsh from sourcing rc files from the user's home > directory. You can take some other action there if you like, such as > exiting the shell.