Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Relying on PATH to find executables is a security hole. #3

Open
vampirechicken opened this Issue · 4 comments

3 participants

@vampirechicken

Use full paths to executables.

If you don't provide a full path to the executable, you execute the first one on the path.

$ cat <<EOF > /tmp/head
echo 'Problem?'
EOF
$chmod +x /tmp/head
$ export PATH=/tmp:$PATH 

Now run a program that calls 'head' instead of '/full/path/to/head

You'll run /tmp/head.

If you combine this with setuid/setgid, you have an escalation of privileges waiting to happen.

See also: level one of Stripe Capture the Flag

@seamusabshere

hi,

What if there was something like...

UnixUtils.paths[:cut] = '/my/path/to/cut'

?

Best,
Seamus

@vampirechicken

That is how it should be. Full path to executable == not using $PATH == one less well-known vulnerability.

I completely understand why you'd go for the pathless method. You basically need to add a configure script to go out and find all the programs, or make the person installing the gem configure it by hand.

@vampirechicken

But, with the Linux File System Standards, it shouldn't be an overly big deal to track down where the executables live.

@rossmeissl

That's a good idea -- check all the reasonable places on startup, in order of reasonableness, allow configuration override, and die if something's nowhere to be found.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.