$HOME/.local/bin in $PATH

Daniel J Walsh dwalsh at redhat.com
Wed Oct 30 14:49:33 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/29/2013 09:03 PM, Chris Adams wrote:
> Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
>> [root at srv-rhsoft:~]$ mkdir test i could rm -rf ~/ here
>> 
>> [root at srv-rhsoft:~]$ cat /usr/local/bin/mkdir #!/bin/bash echo "i could
>> rm -rf ~/ here"
> 
> If I can write to files you own, it doesn't matter if there's a directory
> in the PATH or not.  I can write this to your .bash_profile:
> 
> /bin/mkdir $HOME/.bin 2> /dev/null echo 'echo "i could rm -rf ~/ here"' >
> $HOME/.bin/mkdir chmod +x $HOME/.bin/mkdir PATH=$HOME/.bin:$PATH
> 
> Sure, it might not take effect immediately, but that's probably not the 
> point (I can't depend on you running "mkdir" in a shell at any particular
> point in time anyway).  You wouldn't gain anything security-wise by
> excluding a user-writable directory in PATH.
> 
> In fact, having a "known" ~/.local/bin could allow for a more restrictive
> SELinux policy on that directory that doesn't let arbitrary programs
> running as the user write there (don't know if that is the case though).
> 
 matchpathcon /home/dwalsh/bin /home/dwalsh/.local/bin
/home/dwalsh/bin	staff_u:object_r:home_bin_t:s0
/home/dwalsh/.local/bin	staff_u:object_r:home_bin_t:s0


We are doing this in some form, although more towards, the only files in the
users homedir is allowed to execute is in the home_bin_t directory.

We do try to block confined apps from writing to user_home_t which is most
files in ~ and also home_bin_t.

The only reference to home_bin_t on the target right now is the following.

 sesearch -A -t home_bin_t -c file | grep home_bin_t
   allow postfix_local_t home_bin_t : file { ioctl read getattr execute
execute_no_trans open } ;
   allow procmail_t home_bin_t : file { ioctl read getattr execute
execute_no_trans open } ;

Of course lots of user domains and unconfined domains are allowed to write to
home_bin_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJxHH0ACgkQrlYvE4MpobOjDwCfaMO1bL17awLmc+F+DbWv44it
IEwAmgKT5WIdNege1rE+IS8ISXGLJlca
=Fc9n
-----END PGP SIGNATURE-----

More information about the devel mailing list