From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id dcf8873e for ; Sun, 15 Dec 2019 08:42:08 +0000 (UTC) Received: (qmail 27434 invoked by alias); 15 Dec 2019 08:42:00 -0000 Mailing-List: contact zsh-users-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Users List List-Post: List-Help: List-Unsubscribe: X-Seq: 24534 Received: (qmail 29430 invoked by uid 1010); 15 Dec 2019 08:42:00 -0000 X-Qmail-Scanner-Diagnostics: from mail-io1-f51.google.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.102.1/25656. spamassassin: 3.4.2. Clear:RC:0(209.85.166.51):SA:0(-2.0/5.0):. Processed in 0.969534 secs); 15 Dec 2019 08:42:00 -0000 X-Envelope-From: roman.perepelitsa@gmail.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.166.51 as permitted sender) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=E1Ywwe/1sPj4h7BDZyrEyFMgefyXwuqJkNzyHlTfbjg=; b=aoJnmMzcII4yV59KjgGLmMkFUfl4eVbJOGj+t1y+T8zuicEyyqDis7g5r/qAj+kJ6P Worb3rm/K7js/rW2zKXrKnsqhMH+5mpomYNIL3BCd99eKXaTThCaHnUqAXtH6RU85MyN XV0KjXY6Dy/AeYts5jA9AaCBtJM6oiVCH9itTU2fMSs0Z/EqfCDZjTwAV/7LqjYkRVZ+ w3zsPkLiIlsDApXMEXz8wJvu5hY+hNh2NZ9kWkGqQta0ugxSrqmYox/BWqKFA/0Rw4RB Kq8Pzs/2aLKpOA2/5ZpMnq/FMxiQK1bFkFfXoI5eFH4kgNAWvYQ90EMg7hCj35HwDz18 DrwQ== X-Gm-Message-State: APjAAAVTHaHd9wxQNIIvZuFEWxp2qgpDRdF/qE0if9JS65SNa8yi+y7Y mwXb8xebKMI+KbGQGVEDxoTIVBPQZIFlAoU4lDY= X-Google-Smtp-Source: APXvYqxO07CRRLRccNdh8LVhEEf2ucNfcfc3tH2UeKr6aUO3BTUrGoyGOanCXI1q6patyF72UahtVh17Ip/nkIqOMrk= X-Received: by 2002:a5d:89c8:: with SMTP id a8mr8490510iot.186.1576399285722; Sun, 15 Dec 2019 00:41:25 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Roman Perepelitsa Date: Sun, 15 Dec 2019 09:41:14 +0100 Message-ID: Subject: Re: Thoughts on protecting against PATH interception via user owned profiles To: Andrew Parker Cc: Zsh Users Content-Type: text/plain; charset="UTF-8" On Sun, Dec 15, 2019 at 7:29 AM Andrew Parker wrote: > My question is whether zsh (and other shells) would ever be interested in > implementing a solution to this. My suggestion would be something like the > following (although there may be better alternatives): > > * zsh uses a config file in e.g. /etc directory which much be owned and > only writable by root > * The config can be used enable "protected profiles" > * Once protected profiles are enabled, only profiles which are owned and > only writable by root can be sourced on startup You can do this by creating /etc/zshenv (owned by root) with the following content (untested): [[ -o no_rcs ]] && return () { emulate -L zsh -o extended_glob local file files=(zshenv) [[ -o login ]] && files+=(zprofile zlogin zlogout) [[ -o interactive ]] && files+=(zshrc) for file in ${ZDOTDIR:-~}/.$^files; do [[ ! -f $file || -n $file(#qNu0g0^W) ]] && continue # Either not owned by root:root or world writable. echo -E - "skipping zsh user rcs because ${(q)file} is tainted" >&2 setopt no_rcs return 1 # alternatively: exit 1 done } This checks whether any of the user rc files are tainted (either not owned by root:root or world-writable) and unsets rc option if so. This will prevent zsh from sourcing rc files from the user's home directory. You can take some other action there if you like, such as exiting the shell. Roman.