From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 78496845 for ; Sun, 15 Dec 2019 08:51:32 +0000 (UTC) Received: (qmail 28224 invoked by alias); 15 Dec 2019 08:51:26 -0000 Mailing-List: contact zsh-users-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Users List List-Post: List-Help: List-Unsubscribe: X-Seq: 24537 Received: (qmail 22839 invoked by uid 1010); 15 Dec 2019 08:51:25 -0000 X-Qmail-Scanner-Diagnostics: from out5-smtp.messagingengine.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.102.1/25656. spamassassin: 3.4.2. Clear:RC:0(66.111.4.29):SA:0(-2.6/5.0):. Processed in 4.395265 secs); 15 Dec 2019 08:51:25 -0000 X-Envelope-From: d.s@daniel.shahaf.name X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: none (ns1.primenet.com.au: domain at daniel.shahaf.name does not designate permitted sender hosts) X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrvddtvddguddvtdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdff rghnihgvlhcuufhhrghhrghffdcuoegurdhssegurghnihgvlhdrshhhrghhrghfrdhnrg hmvgeqnecurfgrrhgrmhepmhgrihhlfhhrohhmpegurdhssegurghnihgvlhdrshhhrghh rghfrdhnrghmvgenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.1.7-680-g58d4e90-fmstable-20191213v1 Mime-Version: 1.0 Message-Id: <96134986-6467-4a52-87a8-77bba033f737@www.fastmail.com> In-Reply-To: References: <20191215071417.ivb76lzapj43ag3z@tarpaulin.shahaf.local2> Date: Sun, 15 Dec 2019 08:49:42 +0000 From: "Daniel Shahaf" To: "Andrew Parker" Cc: zsh-users@zsh.org Subject: =?UTF-8?Q?Re:_Thoughts_on_protecting_against_PATH_interception_via_user_?= =?UTF-8?Q?owned_profiles?= Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable Andrew Parker wrote on Sun, 15 Dec 2019 07:57 +00:00: > Consider Homebrew. The installation script calls sudo. The root shell=20= > inherits my user's env. There's your problem. Don't run commands as root with the user's environment, or with input from user-owned files, without auditing them first. (There's a trade-off between security and convenience.) > So my view is that a defence in depth strategy is the best approach. A= =20 > relatively cheap and simple change would, at least as far as I can see= ,=20 > potentially add a lot of benefit to a lot of people. Again, an attacker with the assumed capabilities has so many ways compromise your setup besides editing your dotfiles that protecting just= them would be completely pointless. Your larger error here is that you're employing a blacklist approach rather than a whitelist approach: you found an attack so you're trying to block it. This approach doesn't scale because there's always the possibility of an attack you haven't thought of. The right approach is not to prove that specific attacks can't be mounted, but to prove that *no* outcome can be achieved that isn't permitted. In any case, we're getting _way_ off topic here. This list is for discussing zsh development. If you'd like to propose implementing a taint mode in zsh, that would be on topic =E2=80=94 but as I said, it = would have to be a _lot_ more comprehensive than just calling fstatat(2) on dotfiles. Discussing security in general, however, is better done elsewhere. Cheers, Daniel