PATH environment variable
The PATH environment variable is an important security control. It specifies the directories to be searched to find a command.
The default systemwide PATH value is specified in the /etc/profile file, and each user normally has a PATH value in the user's $HOME/.profile file. The PATH value in the .profile file either overrides the systemwide PATH value or adds extra directories to it.
Unauthorized changes to the PATH environment variable can enable a user on the system to "spoof" other users (including root users). Spoofing programs (also called Trojan horse programs) replace system commands and then capture information meant for that command, such as user passwords.
For example, suppose a user changes the PATH value so that the system searches the /tmp directory first when a command is run. Then the user places in the /tmp directory a program called su that asks for the root password just like the su command. Then the /tmp/su program mails the root password to the user and calls the real su command before exiting. In this scenario, any root user who used the su command would reveal the root password and not even be aware of it.
To prevent any problems with the PATH environment variable for system administrators and users, do the following:
- When in doubt, specify full path names. If a full path name is specified, the PATH environment variable is ignored.
- Never put the current directory (specified by . (period)) in the PATH value specified for the root user. Never allow the current directory to be specified in /etc/profile.
- The root user should have its own PATH specification in his private .profile file. Typically, the specification in /etc/profile lists the minimal standard for all users, whereas the root user might need more or fewer directories than the default.
- Warn other users not to change their .profile files without consulting the system administrator. Otherwise, an unsuspecting user could make changes that allow unintended access. A user .profile file should have permissions set to 740.
- System administrators should not use the su command to gain root privilege from a user session, because the
user's PATH value specified in the .profile file is in effect. Users can set their own .profile files. System administrators should log in to the user's machine
as root user or preferably, using their own ID and then use the following
command:
/usr/bin/su - root
This ensures that the root environment is used during the session. If a system administrator does operate as root in another user session, the system administrator should specify full path names throughout the session.
- Protect the input field separator (IFS) environment variable from being changed in the /etc/profile file. The IFS environment variable in the .profile file can be used to alter the PATH value.