Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Relying on PATH to find executables is a security hole. #3

Open
vampirechicken opened this Issue Mar 5, 2012 · 4 comments

Comments

Projects
None yet
3 participants

Use full paths to executables.

If you don't provide a full path to the executable, you execute the first one on the path.

$ cat <<EOF > /tmp/head
echo 'Problem?'
EOF
$chmod +x /tmp/head
$ export PATH=/tmp:$PATH 

Now run a program that calls 'head' instead of '/full/path/to/head

You'll run /tmp/head.

If you combine this with setuid/setgid, you have an escalation of privileges waiting to happen.

See also: level one of Stripe Capture the Flag

Owner

seamusabshere commented Mar 5, 2012

hi,

What if there was something like...

UnixUtils.paths[:cut] = '/my/path/to/cut'

?

Best,
Seamus

That is how it should be. Full path to executable == not using $PATH == one less well-known vulnerability.

I completely understand why you'd go for the pathless method. You basically need to add a configure script to go out and find all the programs, or make the person installing the gem configure it by hand.

But, with the Linux File System Standards, it shouldn't be an overly big deal to track down where the executables live.

That's a good idea -- check all the reasonable places on startup, in order of reasonableness, allow configuration override, and die if something's nowhere to be found.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment