Re: Thoughts on protecting against PATH interception via user owned profiles

[Andrew Parker <andrew.j.c.parker@xxxxxxxxx>]

I think there's a major difference here in the way Apple's sudo works. It's
simple to check on macOS that *sudo env* preserves PATH (but not other
variables). It can be fixed with *secure_path* in sudoers file. Possibly
other nix systems fix this with *secure_path *by default? Don't have access
to my VMs right now to check.

On Mon, Dec 16, 2019 at 3:48 AM Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
wrote:

> Daniel has pretty well summed this up, but just one thing:
>
> On Sat, Dec 14, 2019 at 11:58 PM Andrew Parker
> <andrew.j.c.parker@xxxxxxxxx> wrote:
> >
> > Consider Homebrew. The installation script calls sudo. The root shell
> > inherits my user's env. Brew them executes numerous commands that can be
> > intercepted. My system is now forever compromised.
>
> That's not how sudo normally works.  In most cases sudo discards the
> environment and replaces it with a default system-configured one.  To
> run with the user's environment, it is both necessary to invoke "sudo
> -E", and for the security policy associated with that user to permit
> preserving the environment.
>
>        -E, --preserve-env
>                    Indicates to the security policy that the user wishes to
>                    preserve their existing environment variables.  The
>                    security policy may return an error if the user does not
>                    have permission to preserve the environment.
>
> It is the responsibility of the program that escalates the privilege
> to make sure it is not making unsafe assumptions, not the
> responsibility of the shell (or any other program) in the
> non-privileged state.
>