Is it secure to use the following kinds of pathnames in `$PATH`?
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
Is using the following kinds of pathnames in $PATH a secure and good practice:
empty pathname.
findutils manual says it is insecure if
$PATHcontains an empty pathname, and I wonder why?Is an empty pathname an absolute or relative pathname?
pathnames containing tilde or filename expansions.
Can a user of
$PATHalways understand and perform tilde or filename expansions in$PATHlike shell?If I set the value of
PATHin a shell startup script such as~/.profile, does it matter at all, given that a shell executes the startup file?I found one related to tilde expansion https://unix.stackexchange.com/a/154290/674
current working directory. See Is it safe to add . to my PATH? How come?
Thanks.
security environment-variables filenames path
asked Jun 7 at 16:45
Tim
22.5k61222401
add a comment |Â
up vote
3
down vote
favorite
Is using the following kinds of pathnames in $PATH a secure and good practice:
empty pathname.
findutils manual says it is insecure if
$PATHcontains an empty pathname, and I wonder why?Is an empty pathname an absolute or relative pathname?
pathnames containing tilde or filename expansions.
Can a user of
$PATHalways understand and perform tilde or filename expansions in$PATHlike shell?If I set the value of
PATHin a shell startup script such as~/.profile, does it matter at all, given that a shell executes the startup file?I found one related to tilde expansion https://unix.stackexchange.com/a/154290/674
current working directory. See Is it safe to add . to my PATH? How come?
Thanks.
security environment-variables filenames path
asked Jun 7 at 16:45
Tim
22.5k61222401
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
Is using the following kinds of pathnames in $PATH a secure and good practice:
empty pathname.
findutils manual says it is insecure if
$PATHcontains an empty pathname, and I wonder why?Is an empty pathname an absolute or relative pathname?
pathnames containing tilde or filename expansions.
Can a user of
$PATHalways understand and perform tilde or filename expansions in$PATHlike shell?If I set the value of
PATHin a shell startup script such as~/.profile, does it matter at all, given that a shell executes the startup file?I found one related to tilde expansion https://unix.stackexchange.com/a/154290/674
current working directory. See Is it safe to add . to my PATH? How come?
Thanks.
security environment-variables filenames path
asked Jun 7 at 16:45
Tim
22.5k61222401
Is using the following kinds of pathnames in $PATH a secure and good practice:
empty pathname.
findutils manual says it is insecure if
$PATHcontains an empty pathname, and I wonder why?Is an empty pathname an absolute or relative pathname?
pathnames containing tilde or filename expansions.
Can a user of
$PATHalways understand and perform tilde or filename expansions in$PATHlike shell?If I set the value of
PATHin a shell startup script such as~/.profile, does it matter at all, given that a shell executes the startup file?I found one related to tilde expansion https://unix.stackexchange.com/a/154290/674
current working directory. See Is it safe to add . to my PATH? How come?
Thanks.
security environment-variables filenames path
asked Jun 7 at 16:45
Tim
22.5k61222401
edited Jun 8 at 3:21
asked Jun 7 at 16:45
Tim
22.5k61222401
asked Jun 7 at 16:45
Tim
22.5k61222401
asked Jun 7 at 16:45
Tim
22.5k61222401
22.5k61222401
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
4
down vote
accepted
If there is an empty element in PATH this refers to '.' and can be seen as insecure.
If the dot or empty element at the end of the PATH, this is not highly insecure, since it would only hit if someone places a binary in a directory that uses a misspelled system binary name.
For CDPATH it is the other way round: it you do not have the dot or empty element, cd will not find subdirectories in the current directory.
The tilde inside a PATH string is not understood. This is why the POSIX standard requires to expand tilde sequences after a colon in the command line when a shell macro is assigned.
Regarding the text you added to your question after I answered: these tilde characters are expanded before the command is executed.
edited Jun 7 at 20:45
heemayl
32.9k36895
answered Jun 7 at 16:50
schily
8,62021435
2
Related to the first point: unix.stackexchange.com/questions/65700/…
– Kusalananda
Jun 7 at 16:52
Thanks. "If there is an empty element in PATH this refers to '.'" Does this happen only in $PATH or everywhere?
– Tim
Jun 7 at 18:07
1
.is insecure no matter where inPATHit appears. People make typos all the time. The classic example is a malicious executable in/tmpcalledsl.
– Reid
Jun 7 at 19:32
"these tilde characters are expanded before the command is executed." So does it matter whether I use tilde or filename expansions in$PATH?
– Tim
Jun 7 at 19:53
1
@Reid mine isgrpe
– roaima
Jun 7 at 20:23
 |Â
show 1 more comment
up vote
2
down vote
Just so others know if they hit this with google.
If you put . in your path and an attacker creates a file called ls in your current working directory that may get executed if it comes up before /bin/ls. That fake ls could be a shell script with rm -rf in it, if . came up in the path first you may unknowingly run that ls when you issue the command and destroy your files.
answered Jun 7 at 17:35
Joe M
5964
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
accepted
If there is an empty element in PATH this refers to '.' and can be seen as insecure.
If the dot or empty element at the end of the PATH, this is not highly insecure, since it would only hit if someone places a binary in a directory that uses a misspelled system binary name.
For CDPATH it is the other way round: it you do not have the dot or empty element, cd will not find subdirectories in the current directory.
The tilde inside a PATH string is not understood. This is why the POSIX standard requires to expand tilde sequences after a colon in the command line when a shell macro is assigned.
Regarding the text you added to your question after I answered: these tilde characters are expanded before the command is executed.
edited Jun 7 at 20:45
heemayl
32.9k36895
answered Jun 7 at 16:50
schily
8,62021435
2
Related to the first point: unix.stackexchange.com/questions/65700/…
– Kusalananda
Jun 7 at 16:52
Thanks. "If there is an empty element in PATH this refers to '.'" Does this happen only in $PATH or everywhere?
– Tim
Jun 7 at 18:07
1
.is insecure no matter where inPATHit appears. People make typos all the time. The classic example is a malicious executable in/tmpcalledsl.
– Reid
Jun 7 at 19:32
"these tilde characters are expanded before the command is executed." So does it matter whether I use tilde or filename expansions in$PATH?
– Tim
Jun 7 at 19:53
1
@Reid mine isgrpe
– roaima
Jun 7 at 20:23
 |Â
show 1 more comment
up vote
4
down vote
accepted
If there is an empty element in PATH this refers to '.' and can be seen as insecure.
If the dot or empty element at the end of the PATH, this is not highly insecure, since it would only hit if someone places a binary in a directory that uses a misspelled system binary name.
For CDPATH it is the other way round: it you do not have the dot or empty element, cd will not find subdirectories in the current directory.
The tilde inside a PATH string is not understood. This is why the POSIX standard requires to expand tilde sequences after a colon in the command line when a shell macro is assigned.
Regarding the text you added to your question after I answered: these tilde characters are expanded before the command is executed.
edited Jun 7 at 20:45
heemayl
32.9k36895
answered Jun 7 at 16:50
schily
8,62021435
2
Related to the first point: unix.stackexchange.com/questions/65700/…
– Kusalananda
Jun 7 at 16:52
Thanks. "If there is an empty element in PATH this refers to '.'" Does this happen only in $PATH or everywhere?
– Tim
Jun 7 at 18:07
1
.is insecure no matter where inPATHit appears. People make typos all the time. The classic example is a malicious executable in/tmpcalledsl.
– Reid
Jun 7 at 19:32
"these tilde characters are expanded before the command is executed." So does it matter whether I use tilde or filename expansions in$PATH?
– Tim
Jun 7 at 19:53
1
@Reid mine isgrpe
– roaima
Jun 7 at 20:23
 |Â
show 1 more comment
up vote
4
down vote
accepted
up vote
4
down vote
accepted
If there is an empty element in PATH this refers to '.' and can be seen as insecure.
If the dot or empty element at the end of the PATH, this is not highly insecure, since it would only hit if someone places a binary in a directory that uses a misspelled system binary name.
For CDPATH it is the other way round: it you do not have the dot or empty element, cd will not find subdirectories in the current directory.
The tilde inside a PATH string is not understood. This is why the POSIX standard requires to expand tilde sequences after a colon in the command line when a shell macro is assigned.
Regarding the text you added to your question after I answered: these tilde characters are expanded before the command is executed.
edited Jun 7 at 20:45
heemayl
32.9k36895
answered Jun 7 at 16:50
schily
8,62021435
If there is an empty element in PATH this refers to '.' and can be seen as insecure.
If the dot or empty element at the end of the PATH, this is not highly insecure, since it would only hit if someone places a binary in a directory that uses a misspelled system binary name.
For CDPATH it is the other way round: it you do not have the dot or empty element, cd will not find subdirectories in the current directory.
The tilde inside a PATH string is not understood. This is why the POSIX standard requires to expand tilde sequences after a colon in the command line when a shell macro is assigned.
Regarding the text you added to your question after I answered: these tilde characters are expanded before the command is executed.
edited Jun 7 at 20:45
heemayl
32.9k36895
answered Jun 7 at 16:50
schily
8,62021435
edited Jun 7 at 20:45
heemayl
32.9k36895
edited Jun 7 at 20:45
heemayl
32.9k36895
edited Jun 7 at 20:45
heemayl
32.9k36895
32.9k36895
answered Jun 7 at 16:50
schily
8,62021435
answered Jun 7 at 16:50
schily
8,62021435
answered Jun 7 at 16:50
schily
8,62021435
8,62021435
2
Related to the first point: unix.stackexchange.com/questions/65700/…
– Kusalananda
Jun 7 at 16:52
Thanks. "If there is an empty element in PATH this refers to '.'" Does this happen only in $PATH or everywhere?
– Tim
Jun 7 at 18:07
1
.is insecure no matter where inPATHit appears. People make typos all the time. The classic example is a malicious executable in/tmpcalledsl.
– Reid
Jun 7 at 19:32
"these tilde characters are expanded before the command is executed." So does it matter whether I use tilde or filename expansions in$PATH?
– Tim
Jun 7 at 19:53
1
@Reid mine isgrpe
– roaima
Jun 7 at 20:23
 |Â
show 1 more comment
2
Related to the first point: unix.stackexchange.com/questions/65700/…
– Kusalananda
Jun 7 at 16:52
Thanks. "If there is an empty element in PATH this refers to '.'" Does this happen only in $PATH or everywhere?
– Tim
Jun 7 at 18:07
1
.is insecure no matter where inPATHit appears. People make typos all the time. The classic example is a malicious executable in/tmpcalledsl.
– Reid
Jun 7 at 19:32
"these tilde characters are expanded before the command is executed." So does it matter whether I use tilde or filename expansions in$PATH?
– Tim
Jun 7 at 19:53
1
@Reid mine isgrpe
– roaima
Jun 7 at 20:23
2
2
Related to the first point: unix.stackexchange.com/questions/65700/…
– Kusalananda
Jun 7 at 16:52
Related to the first point: unix.stackexchange.com/questions/65700/…
– Kusalananda
Jun 7 at 16:52
Thanks. "If there is an empty element in PATH this refers to '.'" Does this happen only in $PATH or everywhere?
– Tim
Jun 7 at 18:07
Thanks. "If there is an empty element in PATH this refers to '.'" Does this happen only in $PATH or everywhere?
– Tim
Jun 7 at 18:07
1
1
. is insecure no matter where in PATH it appears. People make typos all the time. The classic example is a malicious executable in /tmp called sl.– Reid
Jun 7 at 19:32
. is insecure no matter where in PATH it appears. People make typos all the time. The classic example is a malicious executable in /tmp called sl.– Reid
Jun 7 at 19:32
"these tilde characters are expanded before the command is executed." So does it matter whether I use tilde or filename expansions in
$PATH?– Tim
Jun 7 at 19:53
"these tilde characters are expanded before the command is executed." So does it matter whether I use tilde or filename expansions in
$PATH?– Tim
Jun 7 at 19:53
1
1
@Reid mine is
grpe– roaima
Jun 7 at 20:23
@Reid mine is
grpe– roaima
Jun 7 at 20:23
 |Â
show 1 more comment
up vote
2
down vote
Just so others know if they hit this with google.
If you put . in your path and an attacker creates a file called ls in your current working directory that may get executed if it comes up before /bin/ls. That fake ls could be a shell script with rm -rf in it, if . came up in the path first you may unknowingly run that ls when you issue the command and destroy your files.
answered Jun 7 at 17:35
Joe M
5964
add a comment |Â
up vote
2
down vote
Just so others know if they hit this with google.
If you put . in your path and an attacker creates a file called ls in your current working directory that may get executed if it comes up before /bin/ls. That fake ls could be a shell script with rm -rf in it, if . came up in the path first you may unknowingly run that ls when you issue the command and destroy your files.
answered Jun 7 at 17:35
Joe M
5964
add a comment |Â
up vote
2
down vote
up vote
2
down vote
Just so others know if they hit this with google.
If you put . in your path and an attacker creates a file called ls in your current working directory that may get executed if it comes up before /bin/ls. That fake ls could be a shell script with rm -rf in it, if . came up in the path first you may unknowingly run that ls when you issue the command and destroy your files.
answered Jun 7 at 17:35
Joe M
5964
Just so others know if they hit this with google.
If you put . in your path and an attacker creates a file called ls in your current working directory that may get executed if it comes up before /bin/ls. That fake ls could be a shell script with rm -rf in it, if . came up in the path first you may unknowingly run that ls when you issue the command and destroy your files.
answered Jun 7 at 17:35
Joe M
5964
answered Jun 7 at 17:35
Joe M
5964
answered Jun 7 at 17:35
Joe M
5964
answered Jun 7 at 17:35
Joe M
5964
5964
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f448468%2fis-it-secure-to-use-the-following-kinds-of-pathnames-in-path%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
