Colin Watson cjwatson at ubuntu.com
Sun Jul 17 19:56:10 UTC 2005

On Sun, Jul 17, 2005 at 09:23:04PM +0200, Dennis Kaarsemaker wrote:
> On zo, 2005-07-17 at 19:49 +0100, Colin Watson wrote:
> > No. Mendel is absolutely correct when talking about the current
> > directory, but there are no such concerns about an explicit directory
> > such as ~/bin provided that no users other than you and root can write
> > there.
> Theoretical situation:
> 1) You download an infected/malevolent program from the net. This 
>    program places a malware script called vim in ~/bin.
> 2) You run sudo vim to edit a config file.
> 3) Since sudo resets neither $HOME nor $PATH, the malware script will 
>    be run, if it simply executes /usr/bin/vim $@ as last bit, you will 
>    not even notice that you ran something else.

Faulty premise: sudo does reset $PATH (since Debian and Ubuntu both
configure it --with-secure-path). Try it ...

  cjwatson at cittagazze:~ $ type total
  total is /home/cjwatson/bin/total
  cjwatson at cittagazze:~ $ echo 1 2 3 | total
  cjwatson at cittagazze:~ $ echo 1 2 3 | sudo total
  sudo: total: command not found

Also note that such a malware script could simply fiddle with your shell
startup files and make 'sudo', 'su', etc. be aliases to something
different. Including ~/bin in $PATH opens no extra vulnerabilities and
is an enormous convenience.


Colin Watson                                       [cjwatson at ubuntu.com]

More information about the ubuntu-users mailing list