Greg Wooledge writes: > On Mon, Jun 19, 2017 at 06:00:58PM +0200, Nicolas George wrote: >> Le primidi 1er messidor, an CCXXV, Henrique de Moraes Holschuh a écrit : >> > That said, no, it is not usually considered a security vulnerability, >> > because NOT using the full path to run commands such as "su" and "sudo" >> > in the first place IS considered gross negligence. >> >> If your account has been compromised so much that an attacker was able >> to add something in ~/bin/, then using the full path of the commands >> does not bring any extra security. > > Henrique, I believe, was describing an attack that works like this: > > 1) Login. > 2) PATH=~/bin:$PATH > 3) vi ~/bin/su (insert malicious code); chmod 755 ~/bin/su > 4) Call the system administrator, and get him/her to come to your desk. > 5) Get the sysadmin to run "su -c something" for you at your desk. > This runs your password-capturing program, which records the root > password somewhere you can retrieve it after the sysadmin leaves.
Typing /bin/su instead doesn't help against this attack, for example zsh allows: $ alias /bin/su="echo Hallo" $ /bin/su Hallo Or one could just present something that looks and behaves like the normal shell except when /bin/su is called. Or use the DEBUG trap in bash. Or... In short, it is never safe to run `su` and enter a password from an untrusted account. And one should regard all accounts one uses `su` from as equivalent to root (for misuse; the password just helps against breaking some things by accident). Ansgar