Re: Thoughts on protecting against PATH interception via user owned profiles

[Andrew Parker <andrew.j.c.parker@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2386 bytes --]

Oh, amazing - zsh is one step ahead of me!

This is the final nudge I need to make zsh my default shell on macOS (there
were some compatibility issues I'd been too lazy to fix until now). Looks
like this will keep at least me happy. Not sure how much the rest of the
world cares about this, but both myself and my team have been putting a lot
of effort into make sure we can't accidentally ship malware to our
customers, hence the forensic look into issues ("can't" == low probability).

There's still an issue to fix with Terminal(s) as a regular user can easily
change the shell binary used by the terminal. I also think Homebrew may
still have some issues as well (will dig in more). However, these are for
another forum :)

Thanks
Andrew

On Sun, Dec 15, 2019 at 4:41 PM Roman Perepelitsa <
roman.perepelitsa@gmail.com> wrote:

> On Sun, Dec 15, 2019 at 7:29 AM Andrew Parker
> <andrew.j.c.parker@gmail.com> wrote:
> > My question is whether zsh (and other shells) would ever be interested in
> > implementing a solution to this. My suggestion would be something like
> the
> > following (although there may be better alternatives):
> >
> > * zsh uses a config file in e.g. /etc directory which much be owned and
> > only writable by root
> > * The config can be used enable "protected profiles"
> > * Once protected profiles are enabled, only profiles which are owned and
> > only writable by root can be sourced on startup
>
> You can do this by creating /etc/zshenv (owned by root) with the
> following content (untested):
>
>   [[ -o no_rcs ]] && return
>
>   () {
>     emulate -L zsh -o extended_glob
>     local file files=(zshenv)
>     [[ -o login       ]] && files+=(zprofile zlogin zlogout)
>     [[ -o interactive ]] && files+=(zshrc)
>     for file in ${ZDOTDIR:-~}/.$^files; do
>       [[ ! -f $file || -n $file(#qNu0g0^W) ]] && continue
>       # Either not owned by root:root or world writable.
>       echo -E - "skipping zsh user rcs because ${(q)file} is tainted" >&2
>       setopt no_rcs
>       return 1  # alternatively: exit 1
>     done
>   }
>
> This checks whether any of the user rc files are tainted (either not
> owned by root:root or world-writable) and unsets rc option if so. This
> will prevent zsh from sourcing rc files from the user's home
> directory. You can take some other action there if you like, such as
> exiting the shell.
>
> Roman.
>