HPE Community
Operating System - HP-UX
1751961 Members
4655 Online
108783 Solutions
New Discussion юеВ

Root PATH shares writable path with users

 
SOLVED
Go to solution
TheJuiceman
Super Advisor

тАО02-02-2010 09:09 AM

тАО02-02-2010 09:09 AM

Root PATH shares writable path with users

I need to clean up our PATH settings. We currently have a path set in /etc/profile that is writable by users.

Root's PATH is set as
PATH=/usr/sbin:/sbin:/root:$PATH

I would like to clean up root's PATH so that this security problem is fixed. However, I am worried by removing "$PATH" from root's profile will cause software/programming problems (and I would prefer not to have to copy everything into root's profile and then have to remember to edit it every time a program change is made)

The options I am seeing are:

1. Edit root's PATH to exclude $PATH, include what is needed from /etc/PATH, and try to keep it up-to-date
2. Edit each users' PATH and remove the questionable path from /etc/profile (the questionable path is set in /etc/profile, not /etc/PATH). Obviously a long and painful process.

In either case, it looks like I would need to take it out of /etc/profile and either put it in each user's .profile or in /etc/PATH.

I'm sure there is a better way to go. Any ideas? Thanks
0 Kudos
Reply
15 REPLIES 15
Torsten.
Acclaimed Contributor

тАО02-02-2010 09:12 AM

тАО02-02-2010 09:12 AM

Re: Root PATH shares writable path with users

>> We currently have a path set in /etc/profile that is writable by users.



Can you explain this?

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО02-02-2010 09:21 AM

тАО02-02-2010 09:21 AM

Re: Root PATH shares writable path with users

Hi:

The standard root '.profile' declares :

# PATH=/usr/sbin:$PATH:/sbin:/root

...which, in part, is based on what '/etc/profile' builds using '/etc/PATH'. Since '/etc/PATH' should only be *readable* the problem of security shouldn't exist.

If you mean that '/etc/profile' is writable by any user, then yes, you have a security hole.

Regards!

...JRF...
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО02-02-2010 09:21 AM

тАО02-02-2010 09:21 AM

Re: Root PATH shares writable path with users

What I would do:

Clean up /etc/PATH so that it only has what is absolutely required for all users.

Set up whatever you need for root in roots .profile file.

If particular users needs something other than the normal path, set that up in their own .profile.
0 Kudos
Reply
TheJuiceman
Super Advisor

тАО02-02-2010 09:30 AM

тАО02-02-2010 09:30 AM

Re: Root PATH shares writable path with users

/etc/PATH and /etc/profile both have the proper permission on the files themselves. There is a path INSIDE /etc/profile that is writable to users.

Inside /etc/profile, we have such...

export PATH=$PATH:/misc/writablepath:/usr/local/bin

Root should not need access to the /misc/writablepath and, what I understand, should not have /usr/local/bin in its PATH either.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО02-02-2010 09:47 AM

тАО02-02-2010 09:47 AM

Re: Root PATH shares writable path with users

Hi (again):

> Root should not need access to the /misc/writablepath and, what I understand, should not have /usr/local/bin in its PATH either.

Then you need to clean-up '/etc/profile' to eliminate this world-writeable directory. Modify the *users* '.profile' as necessary to add the required directory to their PATH in *their* profile.

You are correct, '/usr/local/bin' should not be present in 'root's PATH either, but this directory should only be executable by non-root users so you the administrator control its contents.

Regards!

...JRF...
0 Kudos
Reply
TheJuiceman
Super Advisor

тАО02-02-2010 10:03 AM

тАО02-02-2010 10:03 AM

Re: Root PATH shares writable path with users

Blah....I was hoping not to have to edit thousand of users .profiles :(
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО02-02-2010 10:33 AM

тАО02-02-2010 10:33 AM

Re: Root PATH shares writable path with users

> Blah....I was hoping not to have to edit
> thousand of users .profiles :(

But if "/etc/profile" is a script, and if
(some variant of) "whoami" works, then why
couldn't it do different things for different
users?

Why couldn't it do permission checks on a
directory before adding it to PATH (for some
particular user(s))?

As usual, many things are possible.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО02-02-2010 12:54 PM

тАО02-02-2010 12:54 PM

Solution

Re: Root PATH shares writable path with users

I wrote the attached script to point out exactly what the poster is referring to. This script starts by verifying /etc/PATH, the system-wide starting point for setting the PATH variable. It will show these vulnerabilities:

# - world-writable paths
# - duplicate paths
# - non-existant paths or paths that are not directories
# - paths that are symlinks
# - : at end of $PATH, :.: or :: in PATH

A world writable path is /tmp for example. NEVER have a world-writable path included in $PATH for any user. Doing so allows Trojan and other rogue scripts to be accidentally run.

NOTE: HP supplies a lot of useless paths in the default /etc/PATH. Many refer to non-existent software packages and tools. A good sysadmin puts only the paths needed by ordinary users in /etc/PATH.

Then in /etc/profile (I'm assuming no scummy csh users are on the system) the PATH value is established for root separately from ordinary users. For instance, /usr/sbin and /usr/lbin should only be in root's PATH. Similarly, specialized applications like Sybase and Oracle, etc need additional environment changes but these should not be global for every user. root probably needs slightly different database paths than a normal user.

Once /etc/PATH has been checked by scan-path, then the current $PATH variable is checked.

A very long PATH is a big security risk -- keep it short for everyone. Users can add their own paths to $PATH as needed in $HOME/.profile

And good scripts NEVER use the current value of $PATH. Always start a script with:

export PATH=/usr/bin

and then add on as required by the script.


Bill Hassell, sysadmin
Reply
Dennis Handly
Acclaimed Contributor

тАО02-03-2010 01:11 AM

тАО02-03-2010 01:11 AM

Re: Root PATH shares writable path with users

>Bill: NOTE: HP supplies a lot of useless paths in the default /etc/PATH. Many refer to non-existent software packages and tools.

If things are working correctly, if you install a product, it gets added and when you remove the product, it gets removed from /etc/PATH.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.