Recipe 9.7 Testing Your Search Path

9.7.1 Problem

You want to avoid invoking the wrong program of a given name.

9.7.2 Solution

Ensure that your search path contains no relative directories:

$ perl -e 'print "PATH contains insecure relative directory \"$_\"\n"
              foreach grep ! m[^/], split /:/, $ENV{"PATH"}, -1;'

9.7.3 Discussion

Imagine you innocently type ls while your current working directory is /tmp, and you discover to your chagrin that you have just run a malicious program, /tmp/ls, instead of the expected /bin/ls. Worse, you might not notice at all, if the rogue program behaves like the real version while performing other nefarious activities silently.

This can happen if your search path contains a period ("."), meaning the current working directory. The possibility of unexpected behavior is higher if "." is early in your search path, but even the last position is not safe: consider the possibility of misspellings. A cracker could create a malicious /tmp/hwo, a misspelling of the common who command, and hope you type "hwo" sometime while you're in /tmp. As there is no earlier "hwo" in your search path, you'll unintentionally run the cracker's ./hwo program. (Which no doubt prints, `basename $SHELL`: hwo: command not found to stderr while secretly demolishing your filesystem.) Play it safe and keep "." out of your search path.

An empty search path element?two adjacent colons, or a leading or trailing colon? also refers to the current working directory. These are sometimes created inadvertently by scripts that paste together the PATH environment variable with ":" separators, adding one too many, or adding an extra separator at the beginning or end.

In fact, any relative directories in your search path are dangerous, as they implicitly refer to the current working directory. Remove all of these relative directories: you can still run programs (securely!) by explicitly typing their relative directory, as in:


Our recipe uses a short Perl script to split the PATH environment variable, complaining about any directory that is not absolute (i.e., that does not start with a "/" character). The negative limit (-1) for split is important for noticing troublesome empty directories at the end of the search path.

9.7.4 See Also


    Chapter 9. Testing and Monitoring