From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 11237 invoked by alias); 13 Sep 2014 10:00:33 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 11216 invoked by uid 89); 13 Sep 2014 10:00:29 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: mailout01.t-online.de Received: from mailout01.t-online.de (HELO mailout01.t-online.de) (194.25.134.80) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Sat, 13 Sep 2014 10:00:28 +0000 Received: from fwd37.aul.t-online.de (fwd37.aul.t-online.de [172.20.27.137]) by mailout01.t-online.de (Postfix) with SMTP id A93D12BAD4E for ; Sat, 13 Sep 2014 12:00:22 +0200 (CEST) Received: from [192.168.2.108] (XjjgImZL8hzPimUu9sT88iNhUk-1fMiKbUsJjB4xA4RtXeoM6xQmwjxPpYqRxeDwE2@[79.224.106.5]) by fwd37.t-online.de with (TLSv1.2:ECDHE-RSA-AES256-SHA encrypted) esmtp id 1XSk7u-130xvs0; Sat, 13 Sep 2014 12:00:18 +0200 Message-ID: <541415B1.8090500@t-online.de> Date: Sat, 13 Sep 2014 16:17:00 -0000 From: Christian Franke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1 MIME-Version: 1.0 To: cygwin@cygwin.com Subject: Re: Cannot exec() program outside of /bin if PATH is unset References: <5413271B.1010109@t-online.de> <54134A83.80107@redhat.com> <54135451.3060902@t-online.de> <601154762.20140913012935@yandex.ru> <541378C4.6030705@t-online.de> <54137BDE.6040907@redhat.com> <54137C7F.1040507@redhat.com> In-Reply-To: <54137C7F.1040507@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2014-09/txt/msg00226.txt.bz2 Eric Blake wrote: > On 09/12/2014 05:03 PM, Eric Blake wrote: >> On 09/12/2014 04:50 PM, Christian Franke wrote: >>> Andrey Repin wrote: >>>>> Hmm... is postfix actually broken? >>>>> Unsetting PATH is IMO sane (from the POSIX POV) if all exec() calls use >>>>> absolute path names. >>>> If all exec() calls are made with full paths, unsetting $PATH does not >>>> improve >>>> security in any way, >>> Of course. But postfix could be configured to run "unknown" external >>> programs through its various daemons. In this case, a fixed (here: >>> empty) PATH improves security. If not convinced, please discuss with the >>> author of postfix :-) >> An empty PATH leaves it up to the implementation what helpers get run >> (if it doesn't fall over first), which is LESS secure than a guaranteed >> safe PATH of confstr(_CS_PATH). > By the way, passing a _safe_ PATH to your child process IS a good idea > for security-conscious programs, but you have to do it correctly Agree. The postfix spawn(8) and pipe(8) daemons actually spawn external programs with PATH set to _PATH_DEFPATH. > (by passing an actual safe path, and NOT by completely unsetting PATH). > Disagree. The postfix master(8) spawns all of its daemons with PATH unset. This IMO does not violate POSIX. Note that setting PATH=/bin on Cygwin does not fix the security problem in the DLL search order. Even with "SafeDllSearchMode" enabled, the current directory is always checked before PATH. Running some Cygwin program from /usr/sbin, /usr/local/bin, /usr/libexec, ... would load a possible malicious cyg*.dll from current directory regardless of PATH setting. Only programs in /bin are safe. Using SetDllDirectory("c:\\cygwin\\bin") somewhere in cygwin1.dll would fix this also. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple