[Discuss] Program path maintenance and security (was Re: Debian 12 vs. WSL 1)

[invalid at pizzashack.org (Derek Martin)]

On Tue, Jun 20, 2023 at 03:39:59PM -0500, Derek Martin wrote:
> My script exactly demonstrates the point I made:  You can't
> compromise a script (or other program) in the manner you described
> when it takes care on its own behalf that its PATH is set up properly.

I think it's worth expanding on this just a bit.  This IS good practice,
and you should do it in your shell scripts--particularly when you need
to execute system utilities but can't be sure in which system path
they will live--and you should probably also provide a means for users
to configure this in larger software projects where you end up
executing system commands on the user's behalf (and provide sensible
defaults).  The key is just to make sure you don't add paths where
untrusted users control the contents, or if somehow that's
unavoidable, add them to the end of path.  Then if someone tries to
add a malicious replacement program, the one in the system path will
always be executed first.

This strategy is absolutely effective at preventing security
compromises by path-based subversion of binary execution.  You know
how I know it is?  Aside from the fact that path-based execution is
deterministic and its behavior isn't that hard to understand--it's
because we have this little utility called sudo, one of the most
security-sensitive programs you have on your system, that does exactly
this, for exactly this reason.  It works.  If it didn't, smarter folks
than we, who have been reviewing sudo's security continually since
1994, would have told you why it didn't.  Because that would be a big
deal, much like every other sudo compromise.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.