#781367 bash may set a PATH including "." under certain circumstances

Package:
bash
Source:
bash
Description:
GNU Bourne Again SHell
Submitter:
Christoph Anton Mitterer
Date:
2024-05-14 09:12:03 UTC
Severity:
important
Tags:
#781367#5
Date:
2015-03-28 06:56:01 UTC
From:
To:
Hi.

I've raised the severity a bit, since this may have security
implications.

When bash is started as a login or non-login shell from an environment
that doesn't a reasonable PATH already set and when either --noprofile
respectively --norc are used (or some other forms like run as "sh" or in
posxi mode, I guess) or when the profile/bashrc files don't set a PATH
(which they in principle shouldn't need to) then bash apparently sets
some hardcoded default for root and non-root users.

In both cases this contains "." as PATH directory, which is generally
undesired and typically not recommended to be set per default for
security reasons.


E.g.
$ id -u
1000

$ unset PATH
$ /bin/bash --norc
$ echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.

or

$ unset PATH
$ /bin/bash --noprofile --login
$ echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.

and so on.


It seems that this is a Debian speciallity, at least on e.g. centos a
sane path is then set.


Cheers,
Chris.

#781367#16
Date:
2024-05-14 09:08:50 UTC
From:
To:
On Sat, Mar 28, 2015 at 07:56:01AM +0100, Christoph Anton Mitterer wrote:
[..]
[..]
https://git.savannah.gnu.org/cgit/bash.git/tree/config-top.h#n63
(config-top.h define DEFAULT_PATH_VALUE)

Fedora overrides DEFAULT_PATH_VALUE like this:
  -DDEFAULT_PATH_VALUE='\"/usr/local/bin:/usr/bin\"'

Chris