Re: Bash is incorrectly and inconsistently expanding tilde in $PATH

[Eduardo Bustamante]

On Wed, May 3, 2017 at 5:40 PM, Nikolay Aleksandrovich Pavlov (ZyX)
<kp-pav@yandex.ru> wrote:
[...]
>         If $PATH in bash contains ~ (e.g. `PATH='~/bin'`) it is incorrectly 
> treated
>         as if $HOME is present.

Hm. You can start bash in POSIX mode
(https://www.gnu.org/software/bash/manual/bash.html#Bash-POSIX-Mode)
if you want to disable this feature. i.e.

    dualbus@debian:~$ bash --posix -c 'printf "%s\n" "#!/bin/bash"
"echo hi" > ~/cmd; chmod +x ~/cmd; PATH=\~; declare -p PATH; cmd'
    declare -x PATH="~"
    bash: cmd: command not found

    dualbus@debian:~$ bash -c 'printf "%s\n" "#!/bin/bash" "echo hi" >
~/cmd; chmod +x ~/cmd; PATH=\~; declare -p PATH; cmd'
    declare -x PATH="~"
    hi

Bash's behavior here is intentional by the way, review the function
find_in_path_element in
http://git.savannah.gnu.org/cgit/bash.git/tree/findcmd.c?h=devel#n527,
it will perform tilde expansion if the path component starts with a
tilde. Perhaps it should be documented under
https://www.gnu.org/software/bash/manual/bash.html#Bourne-Shell-Variables
that bash treats tildes inside PATH specially.

Also, I think it's a bit of a stretch to call this a security problem.
The scenario you describe (a user having a directory literally named
`~' with a bin subdirectory, a malicious program creating evil
binaries in $HOME/bin,  the user having a misconfigured PATH, ...) is
highly unlikely.