Re: Thoughts on protecting against PATH interception via user owned profiles

[Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>]

Roman Perepelitsa wrote on Sun, Dec 15, 2019 at 09:41:14 +0100:
> On Sun, Dec 15, 2019 at 7:29 AM Andrew Parker
> <andrew.j.c.parker@xxxxxxxxx> wrote:
> > My question is whether zsh (and other shells) would ever be interested in
> > implementing a solution to this. My suggestion would be something like the
> > following (although there may be better alternatives):
> >
> > * zsh uses a config file in e.g. /etc directory which much be owned and
> > only writable by root
> > * The config can be used enable "protected profiles"
> > * Once protected profiles are enabled, only profiles which are owned and
> > only writable by root can be sourced on startup
> 
> You can do this by creating /etc/zshenv (owned by root) with the
> following content (untested):
> 
>   [[ -o no_rcs ]] && return
> 
>   () {
>     emulate -L zsh -o extended_glob
>     local file files=(zshenv)
>     [[ -o login       ]] && files+=(zprofile zlogin zlogout)
>     [[ -o interactive ]] && files+=(zshrc)
>     for file in ${ZDOTDIR:-~}/.$^files; do
>       [[ ! -f $file || -n $file(#qNu0g0^W) ]] && continue
>       # Either not owned by root:root or world writable.
>       echo -E - "skipping zsh user rcs because ${(q)file} is tainted" >&2
>       setopt no_rcs
>       return 1  # alternatively: exit 1
>     done
>   }
> 

This piece of code should not be used in production; it is insecure.

> This checks whether any of the user rc files are tainted (either not
> owned by root:root or world-writable) and unsets rc option if so. This
> will prevent zsh from sourcing rc files from the user's home
> directory. You can take some other action there if you like, such as
> exiting the shell.