Security: test PATH and warn or exit on discovery of dangerous location

2019-06-30 19:21:07 +02:00 · 2019-06-30 19:21:07 +02:00 · fdacc00b45
parent 5e4e44bdf3
commit fdacc00b45
1 changed files with 28 additions and 7 deletions
--- a/include/binaries
+++ b/include/binaries
@ -42,18 +42,39 @@
        Display --indent 2 --text "- Checking system binaries..."
        LogText "Status: Starting binary scan..."

-        # Test if our PATH variable provides a set of paths
-        # If so, reverse the order. If we discover the same binary multiple times, the one first in PATH
-        # should be used.
-        # If PATH is empty, we use the predefined list in include/consts. Common paths first, then followed
-        # by more specific paths. This helps on the slightly ancient UNIX derivatives.
+        # Notes:
+        # - If PATH is empty, we use the predefined list in include/consts
+        # - Common paths first, then followed by more specific paths. This helps on the slightly ancient UNIX derivatives.
+        # - Avoid sorting the path list, as this might result in incorrect order of finding binaries (e.g. awk binary)
+
+        # Test if our PATH variable provides a set of paths. If so, reverse the order. If we discover the same binary
+        # multiple times, the one first in PATH should be used.
        if [ ! -z "${PATH}" ]; then
            PATH_REVERSED=$(echo ${PATH} | awk -F: '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
            BIN_PATHS=$(echo "${PATH_REVERSED} ${BIN_PATHS}" | tr ':' ' ')
        fi

-        # Avoid sorting, as this might result in incorrect order of finding binaries (e.g. awk binary)
-        #SORTED_BIN_PATHS=$(echo ${BIN_PATHS} | tr ' ' '\n' | sort | uniq | tr '\n' ' ')
+        # First test available locations that may be suspicious or dangerous
+        for SCANDIR in ${BIN_PATHS}; do
+            FOUND=0
+            if [ "${SCANDIR}" = "." ]; then FOUND=1; MSG="Found single dot (.) in PATH"
+            elif [ "${SCANDIR}" = ".." ]; then FOUND=1; MSG="Found double dot (..) in PATH"
+            elif echo ${SCANDIR} | grep '^\.\.' > /dev/null; then FOUND=1; MSG="Found path starting with double dot (..) in PATH"
+            elif echo ${SCANDIR} | grep '^[a-zA-Z]' > /dev/null; then FOUND=1; MSG="Found relative path in PATH"
+            fi
+            if [ ${FOUND} -eq 1 ]; then
+                # Stop execution if privileged, otherwise continue but warn user
+                if [ ${PRIVILEGED} -eq 1 ]; then
+                    ExitFatal "Possible riskful location (${SCANDIR}) in PATH discovered. Quitting..."
+                else
+                    Display --indent 4 --text "Warning: suspicious location (${SCANDIR}) in PATH"
+                    ReportWarning "${TEST_NO}" "Possible riskful location in PATH discovered" "text:${MSG}"
+                    sleep 1
+                fi
+            fi
+        done
+
+        # Now perform binary detection
        for SCANDIR in ${BIN_PATHS}; do
            LogText "Test: Checking binaries in directory ${SCANDIR}"
            ORGPATH=""