On 2020-10-20 at 07:49, Greg Wooledge wrote:
> On Mon, Oct 19, 2020 at 08:11:01PM -0700, David Christensen wrote:
>
>> On 2020-10-19 05:00, Greg Wooledge wrote:
>> > using an explicit /usr/bin/rsync is sketchy at best. You
>> > should already have /usr/bin in your PATH
>>
>> AIUI using absolute paths for tools in shell scripts is a security best
>> practice -- it helps defend against attacks where PATH is compromised and/or
>> trojaned system tools are inserted into directories at the front of PATH.
>
> It's not "best practice", and it does not provide any security against
> a malevolent execution environment. All it really does is introduce
> failures when the location of a tool changes. (See all the instances
> of failures when new buster installations moved some tools from /bin
> to /usr/bin, and scripts were updated to use things like /usr/bin/mkdir,
> which then fails on *upgraded* buster systems.)
>
> To illustrate why it doesn't provide any security protection:
>
> unicorn:~$ function /bin/rm { echo "haha loser"; }
> unicorn:~$ /bin/rm xyzzy
> haha loser
>
> Remember, bash can accept functions that are imported from the environment,
> and bash's functions have an extremely liberal allowed set of characters.
From a quick test, that seems to only matter if you actually import the
functions from the environment somehow.
$ cat /tmp/test-function-script.sh
#/bin/bash
/home/wanderer/bin/abecedarian.sh
$ function /home/wanderer/bin/abecedarian.sh { echo "nope"; }
$ abecedarian.sh
Usage: /home/wanderer/bin/abecedarian.sh /path/to/wordlist
$ /home/wanderer/bin/abecedarian.sh
nope
$ /tmp/test-function-script.sh
Usage: /home/wanderer/bin/abecedarian.sh /path/to/wordlist
If I'm parsing that correctly, the full-path invocation from within the
script doesn't seem to pick up the function definition from the outside
session.
I imagine there's probably some scenario that might occur outside of
intentional arrangement in which that definition would in fact be picked
up within the script; can you outline an exact reproducer scenario for
what you're thinking of?
--
The Wanderer
The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw
signature.asc
Description: OpenPGP digital signature
