Why should not I add current directory to PATH in Linux?

Click For Summary
SUMMARY

Adding the current directory (.) to the PATH variable in Linux can lead to significant security vulnerabilities. When the current directory is prioritized in the PATH, a malicious user can place a harmful executable with the same name as a standard command (e.g., ls) in that directory. Consequently, executing the command will run the malicious version instead of the legitimate one located in /bin or /usr/bin. To mitigate this risk, it is recommended to place the current directory at the end of the PATH variable rather than the beginning.

PREREQUISITES
  • Understanding of Linux command line operations
  • Familiarity with the PATH environment variable
  • Knowledge of executable file permissions in Linux
  • Basic concepts of system security and vulnerabilities
NEXT STEPS
  • Research how to modify the PATH variable in Linux
  • Learn about Linux file permissions and their impact on security
  • Explore common Linux security practices to prevent malicious code execution
  • Investigate the implications of using aliases and functions in the shell
USEFUL FOR

System administrators, Linux users, and security professionals looking to enhance their understanding of command execution security and best practices for managing the PATH variable.

shivajikobardan
Messages
637
Reaction score
54
TL;DR
Why should not I add current directory to PATH in Linux?
1686407676824.png

I get that if I put current directory in PATH like said above, I can execute commands from any directory. But what's the problem in that? How's other person able to come and execute it? Why does it makes system unsecure compared to the case where we don't put current directory to PATH? Can you explain the example he's telling?
 
Technology news on Phys.org
To make his example more explicit, suppose that the directory you're currently in, has a program (put there by some sneaky person) named ls, that reformats your disk, or encrypts it with a secret password, or something like that. You decide to find out what files are in the directory, and type the usual ls command. It runs the sneaky ls instead of the normal ls command which is something like /usr/bin/ls.
 
Reply
  • Like
Likes   Reactions: shivajikobardan
In that example, the system will look in the current directory before looking in /bin or /usr/bin. It will therefore run the dodgy ./ls rather than the authentic /bin/ls. And the malicious user can modify ./ls so it doesn't list itself when imitating the output of /bin/ls.

This can be mitigated by placing . at the end of $PATH rather than the beginning.
 
pasmith said:
In that example, the system will look in the current directory before looking in /bin or /usr/bin. It will therefore run the dodgy ./ls rather than the authentic /bin/ls. And the malicious user can modify ./ls so it doesn't list itself when imitating the output of /bin/ls.

This can be mitigated by placing . at the end of $PATH rather than the beginning.
thank you. I got this now.
 

Similar threads

Python Why is a temporary directory created when using the Python library matplotlib?
  • · Replies 9 ·
Replies
9
Views
4K
Troubleshooting CMD: Issue with Running .exe Files Using PATH
  • · Replies 19 ·
Replies
19
Views
5K
Small confusion about redirection in Linux
  • · Replies 10 ·
Replies
10
Views
2K
Mysqld command does not start the MySQL Server
  • · Replies 12 ·
Replies
12
Views
11K
How did early compilers overcome the need for a compiler to compile itself?
  • · Replies 6 ·
Replies
6
Views
3K
Why do many applications come with their own terminal instead of using the native shell?
  • · Replies 3 ·
Replies
3
Views
2K
MinGW/MSYS problem with search path
  • · Replies 2 ·
Replies
2
Views
5K
What do you think of Windows Subsystem for Linux (WSL)?
  • · Replies 12 ·
Replies
12
Views
5K
Lunatic program on Linux and Smaky ?
  • · Replies 1 ·
Replies
1
Views
2K
Requesting suggestions for languages, libraries, and architectures for parallel (and sometimes non parallel) numerical and scientific computations
  • · Replies 8 ·
Replies
8
Views
4K