Why should not I add current directory to PATH in Linux?

Click For Summary

Discussion Overview

The discussion revolves around the implications of adding the current directory to the PATH environment variable in Linux. Participants explore the security risks associated with executing commands from the current directory, particularly in relation to potentially malicious programs that could be present.

Discussion Character

  • Debate/contested
  • Technical explanation

Main Points Raised

  • One participant questions the security risks of adding the current directory to PATH, asking how it allows others to execute commands.
  • Another participant provides an example where a malicious program named 'ls' in the current directory could replace the standard 'ls' command, leading to harmful actions.
  • It is noted that the system prioritizes the current directory over standard directories like /bin or /usr/bin when executing commands.
  • Some participants suggest that placing the current directory at the end of the PATH could mitigate the risks associated with executing potentially harmful commands.

Areas of Agreement / Disagreement

Participants express differing views on the security implications of modifying the PATH variable. While some acknowledge the risks, others propose potential mitigations without reaching a consensus on the best approach.

Contextual Notes

The discussion does not resolve the broader implications of security practices related to PATH modifications, and assumptions about user behavior and system configuration are not fully explored.

shivajikobardan
Messages
637
Reaction score
54
TL;DR
Why should not I add current directory to PATH in Linux?
1686407676824.png

I get that if I put current directory in PATH like said above, I can execute commands from any directory. But what's the problem in that? How's other person able to come and execute it? Why does it makes system unsecure compared to the case where we don't put current directory to PATH? Can you explain the example he's telling?
 
Technology news on Phys.org
To make his example more explicit, suppose that the directory you're currently in, has a program (put there by some sneaky person) named ls, that reformats your disk, or encrypts it with a secret password, or something like that. You decide to find out what files are in the directory, and type the usual ls command. It runs the sneaky ls instead of the normal ls command which is something like /usr/bin/ls.
 
Reply
  • Like
Likes   Reactions: shivajikobardan
In that example, the system will look in the current directory before looking in /bin or /usr/bin. It will therefore run the dodgy ./ls rather than the authentic /bin/ls. And the malicious user can modify ./ls so it doesn't list itself when imitating the output of /bin/ls.

This can be mitigated by placing . at the end of $PATH rather than the beginning.
 
pasmith said:
In that example, the system will look in the current directory before looking in /bin or /usr/bin. It will therefore run the dodgy ./ls rather than the authentic /bin/ls. And the malicious user can modify ./ls so it doesn't list itself when imitating the output of /bin/ls.

This can be mitigated by placing . at the end of $PATH rather than the beginning.
thank you. I got this now.
 

Similar threads

Python Why is a temporary directory created when using the Python library matplotlib?
  • · Replies 9 ·
Replies
9
Views
4K
Troubleshooting CMD: Issue with Running .exe Files Using PATH
  • · Replies 19 ·
Replies
19
Views
5K
Small confusion about redirection in Linux
  • · Replies 10 ·
Replies
10
Views
2K
Mysqld command does not start the MySQL Server
  • · Replies 12 ·
Replies
12
Views
11K
How did early compilers overcome the need for a compiler to compile itself?
  • · Replies 6 ·
Replies
6
Views
3K
Why do many applications come with their own terminal instead of using the native shell?
  • · Replies 3 ·
Replies
3
Views
3K
MinGW/MSYS problem with search path
  • · Replies 2 ·
Replies
2
Views
5K
What do you think of Windows Subsystem for Linux (WSL)?
  • · Replies 12 ·
Replies
12
Views
5K
Lunatic program on Linux and Smaky ?
  • · Replies 1 ·
Replies
1
Views
2K
Requesting suggestions for languages, libraries, and architectures for parallel (and sometimes non parallel) numerical and scientific computations
  • · Replies 8 ·
Replies
8
Views
4K