Re: Possible security bug - :: in PATH behaves as if it were "."

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Possible security bug - :: in PATH behaves as if it were "."

From:	Chris F.A. Johnson
Subject:	Re: Possible security bug - :: in PATH behaves as if it were "."
Date:	Mon, 17 Oct 2005 12:12:49 -0400 (EDT)

On Sun, 16 Oct 2005, Asten Rathbun wrote:


Unfortunately I have a slack distro that doesn't include bashbug and
was having issues getting it compiled right, so please accept this bug
report... this confounded me for awhlie

[snip]

---A description of the bug
I noticed that I was able to run executables that shouldn't have been
in my path while in the directory as root.  This is akin to having the
"." directory in Root's path - a well-known no-no.  However, the PATH
variable did *NOT* include ".".   In setting the path, two :
separators were left next to each other.  Removing the extra : removes
the effect.


    An empty field in $PATH is and has always been interpreted as the
    current directory.

    An empty field, whether at the beginning (:*), the end (*:), or in
    the middle (*::*) is a bug in the distro that put it there
    (Slackware is not the only culprit; I think the problem may be in
    an X initialization script).

    I always run a function, checkpath, to remove such errors. It's
    not bashified, as it was written to be POSIX compliant; I have
    bashified the _unslash function that it requires:

checkpath() # verify that all entries in $PATH are directories; remove dupes
{
    verbose=0
    OPTIND=1
    while getopts  v var
    do
      case "$var" in
          v) verbose=1 ;;
      esac
    done

    _unslash "$PATH"
    PATH=$_UNSLASH

    ## assign the elements in PATH to the positional parameters
    oldIFS=$IFS
    IFS=":"
    set -- $PATH
    IFS=$oldIFS

    newPATH=
    for p
    do
      case $p in
          ""|.) continue ;; ## do not allow current directory
      esac

      if [ -d "$p" ]
      then
        _unslash "$p"
        p=$_UNSLASH
        case :$newPATH: in
            *:"$p":*) [ $verbose -ge 1 ] &&
                echo "checkpath: removing $p (already in PATH)" >&2
                ;;
            *) newPATH=${newPATH:+$newPATH:}$p ;;
        esac
      else
          [ $verbose -ge 1 ] &&
             echo "checkpath: $p is not a directory; removing it from PATH" >&2
      fi
    done
    PATH=$newPATH
    return
}

_unslash()
{
    _UNSLASH=$1

    while :
    do
      case $_UNSLASH in

          ## remove trailing slashes
          */) _UNSLASH=${_UNSLASH%/} ;;

          ## change // to /
          *//*) _UNSLASH=${_UNSLASH//\/\///} ;;

          *) break ;;
      esac
    done
}

--
    Chris F.A. Johnson                     <http://cfaj.freeshell.org>
    ==================================================================
    Shell Scripting Recipes: A Problem-Solution Approach, 2005, Apress
    <http://www.torfree.net/~chris/books/cfaj/ssr.html>

[Prev in Thread]

Current Thread

[Next in Thread]

Possible security bug - :: in PATH behaves as if it were ".", Asten Rathbun, 2005/10/17
- Re: Possible security bug - :: in PATH behaves as if it were ".", Asten Rathbun, 2005/10/17
  - Re: Possible security bug - :: in PATH behaves as if it were ".", Chet Ramey, 2005/10/17
- Re: Possible security bug - :: in PATH behaves as if it were ".", Chris F.A. Johnson <=

Prev by Date: Re: Possible security bug - :: in PATH behaves as if it were "."
Next by Date: coordinating bash and coreutils: which bash?
Previous by thread: Re: Possible security bug - :: in PATH behaves as if it were "."
Next by thread: coordinating bash and coreutils: which bash?
Index(es):
- Date
- Thread