[Discuss] Program path maintenance and security (was Re: Debian 12 vs. WSL 1)

[richard.pieri at gmail.com (Rich Pieri)]

On Wed, 21 Jun 2023 11:35:08 -0500
Derek Martin <invalid at pizzashack.org> wrote:

> I think it's worth expanding on this just a bit.  This IS good
> practice, and you should do it in your shell scripts--particularly
> when you need to execute system utilities but can't be sure in which
> system path they will live--and you should probably also provide a
> means for users to configure this in larger software projects where
> you end up executing system commands on the user's behalf (and

The foundation of every best practice in security is implicit deny. You
start by prohibiting everything and then you explicitly permit the
things you want to allow. It's been well-known for decades that search
paths (PATH, LD_LIBRARY_PATH, and friends) are less secure than
explicit paths to files.

The sudoers manpage says this:

     A Runas_Spec sets the default for the commands that follow it.
     What this means is that for the entry:

     dgb     boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm

     The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm on the
     host boulder?but only as operator.

The sudo maintainers document explicit paths to programs as the way to
do it, regardless of environment sanitizing. The manual also has a long
section about preventing shell escapes because as good as sudo is, it
isn't and cannot be perfect.

-- 
\m/ (--) \m/