From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-users-return-24531-ml=inbox.vuxu.org@zsh.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_ADSP_CUSTOM_MED,
	FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham
	autolearn_force=no version=3.4.2
Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2])
	by inbox.vuxu.org (OpenSMTPD) with ESMTP id 6ecefa75
	for <ml@inbox.vuxu.org>;
	Sun, 15 Dec 2019 06:28:38 +0000 (UTC)
Received: (qmail 18062 invoked by alias); 15 Dec 2019 06:28:31 -0000
Mailing-List: contact zsh-users-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Users List <zsh-users.zsh.org>
List-Post: <mailto:zsh-users@zsh.org>
List-Help: <mailto:zsh-users-help@zsh.org>
List-Unsubscribe: <mailto:zsh-users-unsubscribe@zsh.org>
X-Seq: 24531
Received: (qmail 17135 invoked by uid 1010); 15 Dec 2019 06:28:31 -0000
X-Qmail-Scanner-Diagnostics: from mail-wr1-f54.google.com by f.primenet.com.au (envelope-from <andrew.j.c.parker@gmail.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.102.1/25656. spamassassin: 3.4.2.  
 Clear:RC:0(209.85.221.54):SA:0(-2.0/5.0):. 
 Processed in 0.854511 secs); 15 Dec 2019 06:28:31 -0000
X-Envelope-From: andrew.j.c.parker@gmail.com
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.221.54 as permitted sender)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=LIgfvqt94MV/FKctzhzt/Rexjv1Ca6oQspLxgc8/l7I=;
        b=QZso0s6q2ycoM1FRmKku4EuOZmlX2+VBJp2WNGSQTx8lCm1H9ZwDKUpJyutUrpY/Hd
         pZaozGJOpN5EepRqY9SmgRoyALOCYMYQY0DQtehF7Qs0MbwzDjrewLwCYvfJ4R42T/A7
         TkwJ0pXfniqYLk5igmBqZObIGjwq2HRL21RaMULkuSAeXz1ch2ZDAViDk1DAlg+XPZ8p
         ORhvkIHiuD9XHaYwuVQvmNgWe7yHsFU6AmzovNqny7uRsZw5GHz1AzaViStt++npbbRS
         gDBS8krB9oE6QWyQ4QkfGUDAJJZBAyABi8VGxIu80dv9d3zG3K79m6xMgy0zTyf6COkb
         M/qg==
X-Gm-Message-State: APjAAAWh/SrkppgAo+QZTRU1CT896ZhpSh/XAro9Z0tGk5+ITp6gEV8U
	l0mEvTXhQ+9/qRyKlUPP9WTHeNGlNC0Eba+ndcoeFpY9T98=
X-Google-Smtp-Source: APXvYqwJcOEB+1L/n08SYSdYyeT5uo8WlWX6tVN+ktZAxQxTdkO7mtaUzknUZEemvszEHuw2k9a+6PaP6daFdfzqva4=
X-Received: by 2002:a5d:51c1:: with SMTP id n1mr22734428wrv.335.1576391276816;
 Sat, 14 Dec 2019 22:27:56 -0800 (PST)
MIME-Version: 1.0
From: Andrew Parker <andrew.j.c.parker@gmail.com>
Date: Sun, 15 Dec 2019 14:27:45 +0800
Message-ID: <CAG78ipVksGrRjOdV0H=qofrtSNHfeh_OHg2GD9AjjnbF42JoMw@mail.gmail.com>
Subject: Thoughts on protecting against PATH interception via user owned profiles
To: zsh-users@zsh.org
Content-Type: multipart/alternative; boundary="00000000000014ed140599b8326a"

--00000000000014ed140599b8326a
Content-Type: text/plain; charset="UTF-8"

Hey guys,

I'm curious to hear the community's thoughts on the threat of PATH
interception in shells. Specifically, it's very easy for a malicious
process, running as regularly user, to interfere with your profiles and
there's no fool-proof way to protect against this. For example, a malicious
binary can easily change a profile to insert something into your PATH. Once
that's done a privilege escalation is extremely feasible due to the vast
number of tools that rely on your path and which don't specify full paths
to binaries they in turn shell out to.

My question is whether zsh (and other shells) would ever be interested in
implementing a solution to this. My suggestion would be something like the
following (although there may be better alternatives):

* zsh uses a config file in e.g. /etc directory which much be owned and
only writable by root
* The config can be used enable "protected profiles"
* Once protected profiles are enabled, only profiles which are owned and
only writable by root can be sourced on startup

N.B. I'm only proposing this config to allow backwards compatibility for
users who don't want this or might face unexpected issues.

I've written some gory details here in this article:
http://modelephant.net/?p=95. Sorry for the self-promotion, that's actually
not my intent. However, I can't really write things down any clearer than I
have done there.

Thoughts welcome on this, in particular

* Did I miss a trick with my analysis?
* Is zsh somehow already protected (I've only really stared hard at bash)
* Is anyone else worried about this sort of threat?
* Does anyone care? :)

Andrew

--00000000000014ed140599b8326a--