"/keybase bin is not a Keybase folder" / "bin is not a Keybase user"

[stephenyeargin]

Keybase GUI Version: 1.0.16-20160624110018+8ca7e60

Shortly after the install process completed and messing around in the file system, I began receiving these notifications.

Reproduction steps:

1. Install the application for Mac OS (10.11.5)
2. Enter terminal command cd /keybase/private/stephenyeargin,stevenryoung from a demo page
3. Enter terminal command cd /keybase/private/stephenyeargin because I was curious
4. Enter terminal command cd .. because I was curious
5. Enter terminal command rm -fr stephenyeargin because I was curious
6. Enter terminal command ls -l because I was curious
7. Somewhere during that process, receive a series of notifications:

Log ID: 8599d96fc55e5935e6d7281c

[strib]

Hi @stephenyeargin -- those notifications happen when something on your device tries to look up a file in a Keybase directory that has only a pre-defined set of entries. In this case, something is looking up the file "bin" in /keybase and in /keybase/private and /keybase/public. The point of the notifications is to teach new users what should be in those folders. In this case, since you're not manually looking up "bin" according to your post, it must be something on your device, most probably something running in your shell or set in your shell environment.

Frankly, it seems like you have something configured to look for a bin directory on any parent directory of your current working directory, and this seems like a supremely bad idea. I could be wrong about the intent here, but you probably don't want to execute anything in any arbitrary bin directory on your path.

[stephenyeargin]

@strib Yeah, I likely have a little bit of that going on.

Stephens-Work-Mac-mini:~ stephen$ cat ~/.bash_profile 

export PATH=/usr/local/share/pear:/usr/local/sbin:/usr/local/bin:/usr/bin:/Applications/VirtualBox.app/Contents/MacOS:$PATH
export DISPLAY=:0.0

# Default editor
export EDITOR=/usr/bin/vim

# Aliases
alias flushcache='dscacheutil -flushcache'
alias docroot='cd ~/Sites/'
alias vhosts='mate /etc/hosts'
alias mate='atom '
alias deletemerged='git branch --merged | grep -v "\*" | xargs -n 1 git branch -d'

# Postgres
export PGDATA=/usr/local/var/postgres

# Node
export PATH=~/node_modules/.bin:$PATH

# Composer
export PATH=~/.composer/vendor/bin:$PATH

# Boxen
[ -f /opt/boxen/env.sh ] && source /opt/boxen/env.sh

# bash autocomplete
if [ -f $(brew --prefix)/etc/bash_completion ]; then
  . $(brew --prefix)/etc/bash_completion
fi

# Show status in prompt
source ~/.git-status.bash
PS1='\h:\W$(__git_ps1 " \[\033[0;32m\](%s)\[\033[0;00m\]") \u\$ '

Probably the bash_completion plugin. Or something with Boxen.

[stephenyeargin]

It's boxen's fault.

Without that loaded:

$ echo $PATH
/Users/stephen/.composer/vendor/bin:/Users/stephen/node_modules/.bin:/usr/local/share/pear:/usr/local/sbin:/usr/local/bin:/usr/bin:/Applications/VirtualBox.app/Contents/MacOS:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/opt/X11/bin

With it loaded:

$ echo $PATH
bin:/opt/boxen/rbenv/shims:/opt/boxen/rbenv/bin:/opt/boxen/ruby-build/bin:/opt/boxen/phantomenv/shims:/opt/boxen/phantomenv/bin:/opt/boxen/nodenv/shims:/opt/boxen/nodenv/bin:/opt/boxen/node-build/bin:/usr/local/bin:/usr/local/sbin:/opt/boxen/bin:/Users/stephen/.composer/vendor/bin:/Users/stephen/node_modules/.bin:/usr/local/share/pear:/usr/local/sbin:/usr/local/bin:/usr/bin:/Applications/VirtualBox.app/Contents/MacOS:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/opt/X11/bin

Now to figure out why they do that.

[stephenyeargin]

boxen/puppet-boxen#107

[cjb]

Wow. That's shocking.

It's not at all safe to use KBFS in this configuration. Someone could hijack your machine by getting you to cd into their public directory (containing a bin/).

[strib]

Keybase, Dropbox, GDrive, or anything else that gets supposedly read-only files onto your computer (say, unzipping an archive and cd'ing around in it).

[stephenyeargin]

They say knowledge is power. 😁 Some times it's just terrifying.

For anyone else that comes across it, you should immediately add this line to your Boxen repository into the <boxen path>/hiera/common.yaml file right after the ---:

# Don't append relative bin on path.
"boxen::environment::relative_bin_on_path": false

As for the Keybase client, perhaps a warning if relative paths have been included in $PATH? At any rate, you now know a pretty significant attack vector for anyone who uses Boxen out-of-the-box.