Re: Cannot exec() program outside of /bin if PATH is unset

public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed

From: Christian Franke <Christian.Franke@t-online.de>
To: cygwin@cygwin.com
Subject: Re: Cannot exec() program outside of /bin if PATH is unset
Date: Sat, 13 Sep 2014 16:17:00 -0000	[thread overview]
Message-ID: <541415B1.8090500@t-online.de> (raw)
In-Reply-To: <54137C7F.1040507@redhat.com>

Eric Blake wrote:
> On 09/12/2014 05:03 PM, Eric Blake wrote:
>> On 09/12/2014 04:50 PM, Christian Franke wrote:
>>> Andrey Repin wrote:
>>>>> Hmm... is postfix actually broken?
>>>>> Unsetting PATH is IMO sane (from the POSIX POV) if all exec() calls use
>>>>> absolute path names.
>>>> If all exec() calls are made with full paths, unsetting $PATH does not
>>>> improve
>>>> security in any way,
>>> Of course. But postfix could be configured to run "unknown" external
>>> programs through its various daemons. In this case, a fixed (here:
>>> empty) PATH improves security. If not convinced, please discuss with the
>>> author of postfix :-)
>> An empty PATH leaves it up to the implementation what helpers get run
>> (if it doesn't fall over first), which is LESS secure than a guaranteed
>> safe PATH of confstr(_CS_PATH).
> By the way, passing a _safe_ PATH to your child process IS a good idea
> for security-conscious programs, but you have to do it correctly

Agree. The postfix spawn(8) and pipe(8) daemons actually spawn external 
programs with PATH set to _PATH_DEFPATH.

> (by passing an actual safe path, and NOT by completely unsetting PATH).
>

Disagree. The postfix master(8) spawns all of its daemons with PATH 
unset. This IMO does not violate POSIX.

Note that setting PATH=/bin on Cygwin does not fix the security problem 
in the DLL search order. Even with "SafeDllSearchMode" enabled, the 
current directory is always checked before PATH. Running some Cygwin 
program from /usr/sbin, /usr/local/bin, /usr/libexec, ... would load a 
possible malicious cyg*.dll from current directory regardless of PATH 
setting. Only programs in /bin are safe.

Using SetDllDirectory("c:\\cygwin\\bin") somewhere in cygwin1.dll would 
fix this also.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

next prev parent reply	other threads:[~2014-09-13 10:00 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-09-12 18:02 Christian Franke
2014-09-12 19:39 ` Eric Blake
2014-09-12 21:14   ` Christian Franke
2014-09-12 21:56     ` Andrey Repin
2014-09-12 23:04       ` Christian Franke
2014-09-12 23:06         ` Eric Blake
2014-09-12 23:13           ` Eric Blake
2014-09-13 16:17             ` Christian Franke [this message]
2014-09-15  7:47               ` Peter Rosin
2014-09-15  9:28                 ` Peter Rosin
2014-09-15 17:16                 ` Christian Franke
2014-10-08 13:41                   ` Corinna Vinschen
2014-10-08 17:16                     ` Christian Franke
2014-10-09 10:03                       ` Corinna Vinschen
2014-10-09 14:25                         ` Eric Blake
2014-10-09 16:29                           ` Corinna Vinschen
2014-10-09 16:34                             ` tednolan
2014-10-10 10:34                               ` Corinna Vinschen
2014-10-10 11:24                                 ` Jan Nijtmans
2014-10-10 11:32                                   ` Arjen Markus
2014-10-10 12:10                                     ` tednolan
2014-10-10 12:13                                       ` Arjen Markus
2014-10-10 15:39                                         ` Corinna Vinschen
2014-10-14 19:30                                           ` Corinna Vinschen
2014-10-16 21:51                                             ` Christian Franke
2014-10-17  9:10                                               ` Corinna Vinschen
2014-10-17 14:51                                                 ` Corinna Vinschen
2014-10-17 17:56                                                   ` Christian Franke
2014-10-17 18:20                                                     ` Corinna Vinschen
2014-10-17 20:36                                                       ` Csaba Raduly
2014-09-12 22:50     ` Eric Blake
2014-09-13  5:24       ` David Boyce
2014-09-14  9:40   ` Csaba Raduly

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=541415B1.8090500@t-online.de \
    --to=christian.franke@t-online.de \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).