Message-Id: <email address hidden>
Date: Thu, 24 Mar 2005 07:30:14 +1100
From: <email address hidden>
To: <email address hidden>
Subject: Re: Bug#299007: base-files: Insecure PATH in /root/.profile
Some Googling turned up the following:
http://www.tldp.org/HOWTO/Path-12.html
Any of the important daemon processes should never execute anything that
some other user can write into. In some systems, /usr/local/bin is
allowed to contain programs with less strict security screening - it is
just removed from the path of the root user.
http://www.tldp.org/HOWTO/Security-HOWTO/local-security.html
The command path for the root user is very important. The command path
(that is, the PATH environment variable) specifies the directories in
which the shell searches for programs. Try to limit the command path for
the root user as much as possible, and never include . (which means "the
current directory") in your PATH. Additionally, never have writable
directories in your search path ...
http://security.sdsc.edu/advisories/outback_sec_guidelines
Most current day operating systems have this but, audit root's path, make
sure dirs are owned and only writable by root. minimize as much as
possible, e.g. /sbin:/usr/sbin:/bin:/usr/bin
http://www.start-linux.com/articles/article_165.php
One important thing to keep in mind are the different $PATH settings for
users and root:
* user: /usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/user/bin:
* root: /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
Message-Id: <email address hidden>
Date: Thu, 24 Mar 2005 07:30:14 +1100
From: <email address hidden>
To: <email address hidden>
Subject: Re: Bug#299007: base-files: Insecure PATH in /root/.profile
Some Googling turned up the following:
http:// www.tldp. org/HOWTO/ Path-12. html
Any of the important daemon processes should never execute anything that
some other user can write into. In some systems, /usr/local/bin is
allowed to contain programs with less strict security screening - it is
just removed from the path of the root user.
http:// www.tldp. org/HOWTO/ Security- HOWTO/local- security. html
The command path for the root user is very important. The command path
(that is, the PATH environment variable) specifies the directories in
which the shell searches for programs. Try to limit the command path for
the root user as much as possible, and never include . (which means "the
current directory") in your PATH. Additionally, never have writable
directories in your search path ...
http:// www.tldp. org/HOWTO/ Tips-HOWTO- 3.html
Root's path should consist of 'PATH= /bin'
That's it. Nothing else on root's path.
http:// osmirrors. cerias. purdue. edu/pub/ OpenBSD/ src/etc/ security
{ print "Root path directory " $10 " is group writable." }
http:// security. sdsc.edu/ advisories/ outback_ sec_guidelines usr/sbin: /bin:/usr/ bin
Most current day operating systems have this but, audit root's path, make
sure dirs are owned and only writable by root. minimize as much as
possible, e.g. /sbin:/
http:// www.start- linux.com/ articles/ article_ 165.php bin:/bin: /usr/bin: /usr/X11R6/ bin:/home/ user/bin: usr/sbin: /bin:/usr/ bin:/usr/ X11R6/bin
One important thing to keep in mind are the different $PATH settings for
users and root:
* user: /usr/local/
* root: /sbin:/
http:// www.unet. univie. ac.at/aix/ aixbman/ admnconc/ system_ security. htm
The PATH value in the /etc/profile file is used by the root user. Only
specify directories that are secure, that is, that only root can write
to.
http:// docsun. cites.uiuc. edu/sun_ docs/C/ solaris_ 9/SUNWaadm/ SYSADV4/ p98.html
The paths that lead to the home directory must be owned and writable by
root only. For example, if a .forward file is in /export/home/terry,
/export and /export/home must be owned and writable by root only.
Cheers,
Paul Szabo <email address hidden> http:// www.maths. usyd.edu. au/u/psz/
School of Mathematics and Statistics University of Sydney Australia