[Secure-testing-team] Bug#781367: bash may set a PATH including "." under certain circumstances
Christoph Anton Mitterer
calestyo at scientia.net
Sat Mar 28 06:56:01 UTC 2015
Package: bash
Version: 4.3-12
Severity: important
Tags: security
Hi.
I've raised the severity a bit, since this may have security
implications.
When bash is started as a login or non-login shell from an environment
that doesn't a reasonable PATH already set and when either --noprofile
respectively --norc are used (or some other forms like run as "sh" or in
posxi mode, I guess) or when the profile/bashrc files don't set a PATH
(which they in principle shouldn't need to) then bash apparently sets
some hardcoded default for root and non-root users.
In both cases this contains "." as PATH directory, which is generally
undesired and typically not recommended to be set per default for
security reasons.
E.g.
$ id -u
1000
$ unset PATH
$ /bin/bash --norc
$ echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
or
$ unset PATH
$ /bin/bash --noprofile --login
$ echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
and so on.
It seems that this is a Debian speciallity, at least on e.g. centos a
sane path is then set.
Cheers,
Chris.
More information about the Secure-testing-team
mailing list