From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id c4e5ed9c for ; Sun, 15 Dec 2019 21:10:47 +0000 (UTC) Received: (qmail 559 invoked by alias); 15 Dec 2019 19:48:39 -0000 Mailing-List: contact zsh-users-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Users List List-Post: List-Help: List-Unsubscribe: X-Seq: 24547 Received: (qmail 258 invoked by uid 1010); 15 Dec 2019 19:48:39 -0000 X-Qmail-Scanner-Diagnostics: from mail-lj1-f182.google.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.102.1/25663. spamassassin: 3.4.2. Clear:RC:0(209.85.208.182):SA:0(-1.9/5.0):. Processed in 3.518986 secs); 15 Dec 2019 19:48:39 -0000 X-Envelope-From: schaefer@brasslantern.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.208.182 as permitted sender) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GSWlOQ5F2M+AUxt1WJ4Me/ggYHXbdX2+k9qHtFb/Pds=; b=DBZDxfs4+B7XDK546/3cm9lQ5cD7MGc4ElqGmI5UlW8lZpGtdFgpCb59lcjxTculAm IONGvPJI/1B2SQxdOdV3nVaz/+zX/MCtrVlZKQYfi9hszBTbyiwI2T3etC+R8Lyrw9Li Q1wDTOKxbFal7x5wFc4II+U+z8Wg6soRqbTTm9qiU0VF72/Ngfr2pPVY4Llg/jtfXk9k j4/cm1QV1mpHVN69CF28kvksglTEd6LtdauaTs9QtBKkGPe0LMJVZ/ehvE4WW8PS6dZP +0C17J1s4xTTum8Z688Xh3JBGCL9WvPSveS91muow4XC079racxWJ/75XLlR0TZ2iptT DO3w== X-Gm-Message-State: APjAAAXLlnpYwWHFl2N9kdZXcQLfVas78yPS+vCcmwomAVoCvHONsyGG 6e/MjDDRXYDcJDEqhSbMGHJbEWTB3Dc9xqi9emIkJA== X-Google-Smtp-Source: APXvYqz3uhUdc599JityvNyfSh2DZu+khfvyP+VtS1c31hIkFy1MVhOQDqXqO6rDkY/of4zGbguaU1qC9UoauhVhX2k= X-Received: by 2002:a2e:93c5:: with SMTP id p5mr16096657ljh.192.1576439279728; Sun, 15 Dec 2019 11:47:59 -0800 (PST) MIME-Version: 1.0 References: <20191215071417.ivb76lzapj43ag3z@tarpaulin.shahaf.local2> In-Reply-To: From: Bart Schaefer Date: Sun, 15 Dec 2019 11:47:48 -0800 Message-ID: Subject: Re: Thoughts on protecting against PATH interception via user owned profiles To: Andrew Parker Cc: Daniel Shahaf , Zsh Users Content-Type: text/plain; charset="UTF-8" Daniel has pretty well summed this up, but just one thing: On Sat, Dec 14, 2019 at 11:58 PM Andrew Parker wrote: > > Consider Homebrew. The installation script calls sudo. The root shell > inherits my user's env. Brew them executes numerous commands that can be > intercepted. My system is now forever compromised. That's not how sudo normally works. In most cases sudo discards the environment and replaces it with a default system-configured one. To run with the user's environment, it is both necessary to invoke "sudo -E", and for the security policy associated with that user to permit preserving the environment. -E, --preserve-env Indicates to the security policy that the user wishes to preserve their existing environment variables. The security policy may return an error if the user does not have permission to preserve the environment. It is the responsibility of the program that escalates the privilege to make sure it is not making unsafe assumptions, not the responsibility of the shell (or any other program) in the non-privileged state.