From: Grant Taylor <gtaylor@tnetconsulting.net>
To: zsh-users@zsh.org
Subject: Re: Thoughts on protecting against PATH interception via user owned profiles
Date: Sun, 15 Dec 2019 11:57:30 -0700 [thread overview]
Message-ID: <6e316ff9-2f75-866b-f34f-eb5afc45f264@spamtrap.tnetconsulting.net> (raw)
In-Reply-To: <CAG78ipVVDWvyhNGvxtXxm1J0wXKyXA80iwHv84NLxsk02NeruA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3008 bytes --]
On 12/15/19 12:57 AM, Andrew Parker wrote:
> The privilege escalation comes after the PATH is changed.
Please clearly explain what you think the privilege escalation is.
Changing the PATH does not change privileges. It likely changes which
program gets executed.
> The problem effectively is me, the developer. I run another program
> which escalates and inherits the PATH variable. That program
> then executes commands without specifying the full path to the
> binary.
This is why that it is best practice to put the full path to commands
when when possible. Particularly in scripts.
> Here's an example
>
> Consider Homebrew. The installation script calls sudo. The root shell
> inherits my user's env. Brew them executes numerous commands that
> can be intercepted. My system is now forever compromised.
I don't know about homebrew. But I do know that this is exactly why
sudo scrubs (rebuilds) (almost all of) the environment as the target
user and specifically does NOT copy it from the source user.
If homebrew, or more specifically the sudoers template allowing this, is
going contrary to all sudo best practices that I've ever read. Sudo
should be configured to thwart such an attack.
> It's easy to argue that this is a homebrew issue. However what about
> the 100s if not 1000s of "reasonable quality" tools that do similar
> things. As a modern developer how am I supposed to handle this? Do I
> have to audit every tool I use before allowing escalation? That's maybe
> a reasonable argument as well, but that's a hell of an overhead. Then
> what about upstream dependencies? Just because I audited homebrew today
> doesn't mean it'll be good tomorrow. Do we expect every developer to
> do this? Not really. Even if I do this, do I expect that I'll remember
> or get it right every time? Not really.
This is one of the reasons that sudo templates specify which command(s),
including the full path, is (are) allowed to be executed, likely
including parameters.
Yes, it is the system administrator's job to do the auditing that you
specify /if/ they care about avoiding the class of things you are asking
about. Many ~> most do not. Or if they do aren't able to audit things
for one reason or another.
> So my view is that a defence in depth strategy is the best approach. A
> relatively cheap and simple change would, at least as far as I can see,
> potentially add a lot of benefit to a lot of people.
Remember that the PATH environment variable is a convenience. I can
still specify the full path to a program and run it. So simply setting
PATH and then making it read-only won't prevent a determined actor. It
may be another picket fence to close and latch.
Aside: I believe in and advocate closing and latching as many picket
fences as possible. But I do question the security value of what I
understand to be discussed in this thread.
--
Grant. . . .
unix || die
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4013 bytes --]
next prev parent reply other threads:[~2019-12-15 21:09 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-15 6:27 Andrew Parker
2019-12-15 7:14 ` Daniel Shahaf
2019-12-15 7:57 ` Andrew Parker
2019-12-15 8:49 ` Daniel Shahaf
2019-12-15 17:42 ` Lewis Butler
2019-12-15 18:57 ` Grant Taylor [this message]
2019-12-15 19:47 ` Bart Schaefer
2019-12-17 13:34 ` Andrew Parker
2019-12-15 8:41 ` Roman Perepelitsa
2019-12-15 8:49 ` Andrew Parker
2019-12-15 14:31 ` Andrew Parker
2019-12-15 14:43 ` Roman Perepelitsa
2019-12-17 13:35 ` Andrew Parker
2019-12-16 4:10 ` Daniel Shahaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6e316ff9-2f75-866b-f34f-eb5afc45f264@spamtrap.tnetconsulting.net \
--to=gtaylor@tnetconsulting.net \
--cc=zsh-users@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).