From: "Daniel Shahaf" <d.s@daniel.shahaf.name>
To: "Andrew Parker" <andrew.j.c.parker@gmail.com>
Cc: zsh-users@zsh.org
Subject: Re: Thoughts on protecting against PATH interception via user owned profiles
Date: Sun, 15 Dec 2019 08:49:42 +0000 [thread overview]
Message-ID: <96134986-6467-4a52-87a8-77bba033f737@www.fastmail.com> (raw)
In-Reply-To: <CAG78ipVVDWvyhNGvxtXxm1J0wXKyXA80iwHv84NLxsk02NeruA@mail.gmail.com>
Andrew Parker wrote on Sun, 15 Dec 2019 07:57 +00:00:
> Consider Homebrew. The installation script calls sudo. The root shell
> inherits my user's env.
There's your problem. Don't run commands as root with the user's
environment, or with input from user-owned files, without auditing
them first. (There's a trade-off between security and convenience.)
> So my view is that a defence in depth strategy is the best approach. A
> relatively cheap and simple change would, at least as far as I can see,
> potentially add a lot of benefit to a lot of people.
Again, an attacker with the assumed capabilities has so many ways
compromise your setup besides editing your dotfiles that protecting just
them would be completely pointless.
Your larger error here is that you're employing a blacklist approach
rather than a whitelist approach: you found an attack so you're trying
to block it. This approach doesn't scale because there's always the
possibility of an attack you haven't thought of. The right approach is
not to prove that specific attacks can't be mounted, but to prove that
*no* outcome can be achieved that isn't permitted.
In any case, we're getting _way_ off topic here. This list is for
discussing zsh development. If you'd like to propose implementing
a taint mode in zsh, that would be on topic — but as I said, it would have
to be a _lot_ more comprehensive than just calling fstatat(2) on
dotfiles. Discussing security in general, however, is better done
elsewhere.
Cheers,
Daniel
next prev parent reply other threads:[~2019-12-15 8:51 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-15 6:27 Andrew Parker
2019-12-15 7:14 ` Daniel Shahaf
2019-12-15 7:57 ` Andrew Parker
2019-12-15 8:49 ` Daniel Shahaf [this message]
2019-12-15 17:42 ` Lewis Butler
2019-12-15 18:57 ` Grant Taylor
2019-12-15 19:47 ` Bart Schaefer
2019-12-17 13:34 ` Andrew Parker
2019-12-15 8:41 ` Roman Perepelitsa
2019-12-15 8:49 ` Andrew Parker
2019-12-15 14:31 ` Andrew Parker
2019-12-15 14:43 ` Roman Perepelitsa
2019-12-17 13:35 ` Andrew Parker
2019-12-16 4:10 ` Daniel Shahaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=96134986-6467-4a52-87a8-77bba033f737@www.fastmail.com \
--to=d.s@daniel.shahaf.name \
--cc=andrew.j.c.parker@gmail.com \
--cc=zsh-users@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).