From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-users-return-24570-ml=inbox.vuxu.org@zsh.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_ADSP_CUSTOM_MED,
	FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham
	autolearn_force=no version=3.4.2
Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2])
	by inbox.vuxu.org (OpenSMTPD) with ESMTP id 62ffcfed
	for <ml@inbox.vuxu.org>;
	Tue, 17 Dec 2019 13:35:31 +0000 (UTC)
Received: (qmail 11346 invoked by alias); 17 Dec 2019 13:35:23 -0000
Mailing-List: contact zsh-users-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Users List <zsh-users.zsh.org>
List-Post: <mailto:zsh-users@zsh.org>
List-Help: <mailto:zsh-users-help@zsh.org>
List-Unsubscribe: <mailto:zsh-users-unsubscribe@zsh.org>
X-Seq: 24570
Received: (qmail 297 invoked by uid 1010); 17 Dec 2019 13:35:23 -0000
X-Qmail-Scanner-Diagnostics: from mail-wr1-f46.google.com by f.primenet.com.au (envelope-from <andrew.j.c.parker@gmail.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.102.1/25663. spamassassin: 3.4.2.  
 Clear:RC:0(209.85.221.46):SA:0(-2.0/5.0):. 
 Processed in 4.019105 secs); 17 Dec 2019 13:35:23 -0000
X-Envelope-From: andrew.j.c.parker@gmail.com
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.221.46 as permitted sender)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=ZU8R4mvTGBQ1Cw5Kuy1GaSDiEqFPk5oxhxpHpQ4UmYU=;
        b=gNv1+2VK4d+Yk65iKIC1synSai3Iz/WAD4ClGlMgnxIHfwJrT6uZlVt+q7p/+t38gw
         cSNUifUQjDwFxocthsM4eU1OVi4nGB/b7U/jgZ8r1HPOBKo0Uu+6RMQ/mjf9kOYcaP5v
         PHqPLXc8U1W/c+WnWjM+Dl0AuW51qDSGmzMdLhIZVkZfX2xuLlCQi7p2B+YWC5htnd5o
         dcjqDWQC8uKiVhGAJL5AQhCjSFTDKZcX1aUX67YNUaOBbgj2Vjnkko3Rx87uag2k7A4/
         U7Q4eOcCN+qd0w0OqqcCmUF+QEk/hwb5XxVHSjx34Wdj5yDVS2R6r0pmGFx0yKf9tQoU
         UtEw==
X-Gm-Message-State: APjAAAWPDdlHef3q9Sgly0BujBYOLqlsPQe4Wy9l44EBDX0Ix1qM+6rb
	wd+E3VrP+gw8ikcsyQ+gTfGVPXsbT9fs09cWaS4=
X-Google-Smtp-Source: APXvYqy81Rd89DcDEAIi/n3iUlCMTKqQHhriZmJ9FSHSOyUBCFt/q/Cp1VtJZ0UFEG7sAhRgB0lltT0ougqPmWzxtEc=
X-Received: by 2002:a5d:6652:: with SMTP id f18mr38256397wrw.246.1576589684900;
 Tue, 17 Dec 2019 05:34:44 -0800 (PST)
MIME-Version: 1.0
References: <CAG78ipVksGrRjOdV0H=qofrtSNHfeh_OHg2GD9AjjnbF42JoMw@mail.gmail.com>
 <20191215071417.ivb76lzapj43ag3z@tarpaulin.shahaf.local2> <CAG78ipVVDWvyhNGvxtXxm1J0wXKyXA80iwHv84NLxsk02NeruA@mail.gmail.com>
 <CAH+w=7a5tt5NSAWXz_Av9KgLUSChj6mSE+Yx_H-OHOFF8Abx3A@mail.gmail.com>
In-Reply-To: <CAH+w=7a5tt5NSAWXz_Av9KgLUSChj6mSE+Yx_H-OHOFF8Abx3A@mail.gmail.com>
From: Andrew Parker <andrew.j.c.parker@gmail.com>
Date: Tue, 17 Dec 2019 21:34:33 +0800
Message-ID: <CAG78ipWUt5yxkxousiSVco5_NbU0b87A+9CN2CC_2BjXNB8okQ@mail.gmail.com>
Subject: Re: Thoughts on protecting against PATH interception via user owned profiles
To: Bart Schaefer <schaefer@brasslantern.com>
Cc: Daniel Shahaf <d.s@daniel.shahaf.name>, Zsh Users <zsh-users@zsh.org>
Content-Type: multipart/alternative; boundary="000000000000200a550599e664d5"

--000000000000200a550599e664d5
Content-Type: text/plain; charset="UTF-8"

I think there's a major difference here in the way Apple's sudo works. It's
simple to check on macOS that *sudo env* preserves PATH (but not other
variables). It can be fixed with *secure_path* in sudoers file. Possibly
other nix systems fix this with *secure_path *by default? Don't have access
to my VMs right now to check.

On Mon, Dec 16, 2019 at 3:48 AM Bart Schaefer <schaefer@brasslantern.com>
wrote:

> Daniel has pretty well summed this up, but just one thing:
>
> On Sat, Dec 14, 2019 at 11:58 PM Andrew Parker
> <andrew.j.c.parker@gmail.com> wrote:
> >
> > Consider Homebrew. The installation script calls sudo. The root shell
> > inherits my user's env. Brew them executes numerous commands that can be
> > intercepted. My system is now forever compromised.
>
> That's not how sudo normally works.  In most cases sudo discards the
> environment and replaces it with a default system-configured one.  To
> run with the user's environment, it is both necessary to invoke "sudo
> -E", and for the security policy associated with that user to permit
> preserving the environment.
>
>        -E, --preserve-env
>                    Indicates to the security policy that the user wishes to
>                    preserve their existing environment variables.  The
>                    security policy may return an error if the user does not
>                    have permission to preserve the environment.
>
> It is the responsibility of the program that escalates the privilege
> to make sure it is not making unsafe assumptions, not the
> responsibility of the shell (or any other program) in the
> non-privileged state.
>

--000000000000200a550599e664d5--