From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-users-return-24536-ml=inbox.vuxu.org@zsh.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_ADSP_CUSTOM_MED,
	FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham
	autolearn_force=no version=3.4.2
Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2])
	by inbox.vuxu.org (OpenSMTPD) with ESMTP id 84a3dc68
	for <ml@inbox.vuxu.org>;
	Sun, 15 Dec 2019 08:50:09 +0000 (UTC)
Received: (qmail 18652 invoked by alias); 15 Dec 2019 08:50:02 -0000
Mailing-List: contact zsh-users-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Users List <zsh-users.zsh.org>
List-Post: <mailto:zsh-users@zsh.org>
List-Help: <mailto:zsh-users-help@zsh.org>
List-Unsubscribe: <mailto:zsh-users-unsubscribe@zsh.org>
X-Seq: 24536
Received: (qmail 14416 invoked by uid 1010); 15 Dec 2019 08:50:02 -0000
X-Qmail-Scanner-Diagnostics: from mail-wr1-f41.google.com by f.primenet.com.au (envelope-from <andrew.j.c.parker@gmail.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.102.1/25656. spamassassin: 3.4.2.  
 Clear:RC:0(209.85.221.41):SA:0(-2.0/5.0):. 
 Processed in 4.680464 secs); 15 Dec 2019 08:50:02 -0000
X-Envelope-From: andrew.j.c.parker@gmail.com
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.221.41 as permitted sender)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=E8TpuGePb+lTFCxyPqmxLnGVYvo/vejqgav4dbX5DOA=;
        b=cjwrUKlTkiKU+kxoPeba+hCtzehukgl5hgOMVdyUNA7SmrLHcf4qn6vWtEv76ffTEn
         g8eAIq3O3Pn4iOEDlmqmpB3FEWFQbNpJQ0GabF59VOIThd0vCpTkS3paYVB73tj9ipeE
         OmsZThjQ29Mxh0ktGbyEfNclKtm7x3nZSXaEA92GR7NNwPVl02G/AGsFztoabGxmVOXA
         zwUY0FoL6KT7t+psLGrW6V0CUNnHIfvLZe7LHjPDwQpngrHHSSc5Ld1sEfUj1qZAb392
         HNdGwaWGh2C/kXx0eyIR8CHAjDiHXjoj/1VN4ZqGKr+kt3HU67+n7l/kCiF1NoyM5F2q
         goXQ==
X-Gm-Message-State: APjAAAXrdZnluuPK+Yq6ciaNH2gmHJhjETwlTq/RpJQDj3sihKxk+PlH
	CDgzu5A9udKhmXwa9ZQN++iBfk0p0sdI/1dDv3k=
X-Google-Smtp-Source: APXvYqxG5rW7s7Q+M+anTjD/7fQ7y6ZOmUUu6tjtHIWrKusbZTbPxBm3yikpPlKPs7rPegQD5XGLsa3xuFc8fWrqiHI=
X-Received: by 2002:a5d:6144:: with SMTP id y4mr23579642wrt.15.1576399763696;
 Sun, 15 Dec 2019 00:49:23 -0800 (PST)
MIME-Version: 1.0
References: <CAG78ipVksGrRjOdV0H=qofrtSNHfeh_OHg2GD9AjjnbF42JoMw@mail.gmail.com>
 <CAN=4vMr6DCXWHL0Om4nZ6_y1AJA8vDpOKbu3qfCz-5MunSDO4w@mail.gmail.com>
In-Reply-To: <CAN=4vMr6DCXWHL0Om4nZ6_y1AJA8vDpOKbu3qfCz-5MunSDO4w@mail.gmail.com>
From: Andrew Parker <andrew.j.c.parker@gmail.com>
Date: Sun, 15 Dec 2019 16:49:12 +0800
Message-ID: <CAG78ipVwF-MfH-imwm1gpfdKhsoK5zxc-uO3LiZoHRJ6urQr5g@mail.gmail.com>
Subject: Re: Thoughts on protecting against PATH interception via user owned profiles
To: Roman Perepelitsa <roman.perepelitsa@gmail.com>
Cc: Zsh Users <zsh-users@zsh.org>
Content-Type: multipart/alternative; boundary="000000000000f070640599ba2beb"

--000000000000f070640599ba2beb
Content-Type: text/plain; charset="UTF-8"

Oh, amazing - zsh is one step ahead of me!

This is the final nudge I need to make zsh my default shell on macOS (there
were some compatibility issues I'd been too lazy to fix until now). Looks
like this will keep at least me happy. Not sure how much the rest of the
world cares about this, but both myself and my team have been putting a lot
of effort into make sure we can't accidentally ship malware to our
customers, hence the forensic look into issues ("can't" == low probability).

There's still an issue to fix with Terminal(s) as a regular user can easily
change the shell binary used by the terminal. I also think Homebrew may
still have some issues as well (will dig in more). However, these are for
another forum :)

Thanks
Andrew

On Sun, Dec 15, 2019 at 4:41 PM Roman Perepelitsa <
roman.perepelitsa@gmail.com> wrote:

> On Sun, Dec 15, 2019 at 7:29 AM Andrew Parker
> <andrew.j.c.parker@gmail.com> wrote:
> > My question is whether zsh (and other shells) would ever be interested in
> > implementing a solution to this. My suggestion would be something like
> the
> > following (although there may be better alternatives):
> >
> > * zsh uses a config file in e.g. /etc directory which much be owned and
> > only writable by root
> > * The config can be used enable "protected profiles"
> > * Once protected profiles are enabled, only profiles which are owned and
> > only writable by root can be sourced on startup
>
> You can do this by creating /etc/zshenv (owned by root) with the
> following content (untested):
>
>   [[ -o no_rcs ]] && return
>
>   () {
>     emulate -L zsh -o extended_glob
>     local file files=(zshenv)
>     [[ -o login       ]] && files+=(zprofile zlogin zlogout)
>     [[ -o interactive ]] && files+=(zshrc)
>     for file in ${ZDOTDIR:-~}/.$^files; do
>       [[ ! -f $file || -n $file(#qNu0g0^W) ]] && continue
>       # Either not owned by root:root or world writable.
>       echo -E - "skipping zsh user rcs because ${(q)file} is tainted" >&2
>       setopt no_rcs
>       return 1  # alternatively: exit 1
>     done
>   }
>
> This checks whether any of the user rc files are tainted (either not
> owned by root:root or world-writable) and unsets rc option if so. This
> will prevent zsh from sourcing rc files from the user's home
> directory. You can take some other action there if you like, such as
> exiting the shell.
>
> Roman.
>

--000000000000f070640599ba2beb--