Why should not I add current directory to PATH in Linux?

In summary, adding the current directory to the $PATH variable can lead to security vulnerabilities, as it allows malicious users to execute potentially harmful commands from the current directory. This can be mitigated by placing the current directory at the end of $PATH rather than the beginning. This was demonstrated in the example given, where a sneaky ls command in the current directory was executed instead of the authentic one in the /bin directory.
  • #1
shivajikobardan
674
54
TL;DR Summary
Why should not I add current directory to PATH in Linux?
1686407676824.png

I get that if I put current directory in PATH like said above, I can execute commands from any directory. But what's the problem in that? How's other person able to come and execute it? Why does it makes system unsecure compared to the case where we don't put current directory to PATH? Can you explain the example he's telling?
 
Technology news on Phys.org
  • #2
To make his example more explicit, suppose that the directory you're currently in, has a program (put there by some sneaky person) named ls, that reformats your disk, or encrypts it with a secret password, or something like that. You decide to find out what files are in the directory, and type the usual ls command. It runs the sneaky ls instead of the normal ls command which is something like /usr/bin/ls.
 
  • Like
Likes shivajikobardan
  • #3
In that example, the system will look in the current directory before looking in /bin or /usr/bin. It will therefore run the dodgy ./ls rather than the authentic /bin/ls. And the malicious user can modify ./ls so it doesn't list itself when imitating the output of /bin/ls.

This can be mitigated by placing . at the end of $PATH rather than the beginning.
 
  • #4
pasmith said:
In that example, the system will look in the current directory before looking in /bin or /usr/bin. It will therefore run the dodgy ./ls rather than the authentic /bin/ls. And the malicious user can modify ./ls so it doesn't list itself when imitating the output of /bin/ls.

This can be mitigated by placing . at the end of $PATH rather than the beginning.
thank you. I got this now.
 

Related to Why should not I add current directory to PATH in Linux?

1. Why should I not add the current directory to PATH in Linux?

Adding the current directory to your PATH in Linux can pose a security risk as it allows for the execution of potentially malicious scripts or binaries in your current directory without specifying their full path.

2. Can adding the current directory to PATH cause conflicts with system binaries?

Yes, adding the current directory to your PATH can potentially cause conflicts with system binaries if a script or binary in your current directory has the same name as a system binary. This can lead to unintended consequences or security vulnerabilities.

3. How can I run scripts or binaries in the current directory without adding it to PATH?

You can run scripts or binaries in the current directory by specifying the full path to the script or binary when executing it. For example, to run a script called "myscript.sh" in the current directory, you can use "./myscript.sh" to execute it.

4. Are there any alternative ways to avoid adding the current directory to PATH?

Yes, you can create a separate directory for your scripts or binaries and add that directory to your PATH instead of the current directory. This helps to keep your system organized and reduces the risk of executing malicious scripts or binaries inadvertently.

5. What are the best practices for managing the PATH environment variable in Linux?

It is recommended to only add directories containing trusted scripts or binaries to your PATH in Linux. Avoid adding the current directory or directories with untrusted content to your PATH to minimize security risks and prevent conflicts with system binaries.

Similar threads

  • Programming and Computer Science
Replies
9
Views
3K
Replies
19
Views
2K
  • Programming and Computer Science
Replies
10
Views
1K
  • Programming and Computer Science
Replies
12
Views
9K
Replies
3
Views
685
Replies
6
Views
1K
  • Computing and Technology
Replies
12
Views
4K
  • Programming and Computer Science
Replies
1
Views
2K
  • Programming and Computer Science
Replies
2
Views
5K
Back
Top