Rustup set an insecure PATH

sha0coder · December 3, 2021, 4:38pm

$ echo $PATH
/home/user/.cargo/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin

Putting the users home in first section in the $PATH is insecure, it should be at the last section of the path.

An attacker that gets access to the user account can create a script named sudo on .cargo/bin, when the real user types sudo an put his password the script send the password to the attacker or setuid a shell creating a backdoor. Basically all the binaries can be hijacked.

Solution:
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin:/home/sha0/.cargo/bin

Rustup env:
# Prepending path in case a system-installed rustc needs to be overridden
export PATH="$HOME/.cargo/bin:$PATH"

functionality or security, you chose, but I consider rust as a hope in the security.

carols10cents · December 3, 2021, 5:04pm

You should probably file this as an issue in the rustup repo to make sure the rustup maintainers see it.

sha0coder · December 3, 2021, 5:24pm

I sent an email to the rust security team, but I'm sure they already know it.

sfackler · December 3, 2021, 6:53pm

If an attacker gets access to the user account, they can just modify PATH to whatever they want, right?

sha0coder · December 3, 2021, 9:34pm

true, unless .bashrc and so are protected with chattr, the path issue is just an extra insecurity.

quinedot · December 4, 2021, 12:42am

If you are concerned about such things, which is completely legitimate, you should build Rust projects as a dedicated unpriveleged user and/or in a sandbox, etc. The typical Rust build downloads dependencies from the internet and complies them, which includes running any build.rs files they have -- i.e. running arbitrary programs.

(Not saying your suggestion shouldn't be followed too.)

kpreid · December 4, 2021, 2:28pm

Note that if rustup put /home/user/.cargo/bin last instead of first, then it would not override a system installation of Rust.

sha0coder · December 5, 2021, 12:04pm

nope, its overriding:

.cargo$ cat env
#!/bin/sh
# rustup shell setup
# affix colons on either side of $PATH to simplify matching
case ":${PATH}:" in
    *:"$HOME/.cargo/bin":*)
        ;;
    *)
        # Prepending path in case a system-installed rustc needs to be overridden
        export PATH="$HOME/.cargo/bin:$PATH"
        ;;
esac

bjorn3 · December 5, 2021, 1:26pm

Rustup currently puts it first, thus overriding it. @kpreid talked about what would happen if rustup was changed to put it last. In that case it won't override the system installation anymore.

system · March 5, 2022, 1:26pm

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
Install rust on a VPS, as root or as a user? help	8	2425	November 18, 2019
Rust installer security problem	4	379	November 9, 2022
Installing via rustup with sudo help	3	1895	January 12, 2023
.cargo\bin PATH issue on Windows (absolute beginner) help	7	6709	May 31, 2020
From Rust to callable in a terminal? help	5	422	January 12, 2023

Rustup set an insecure PATH

Related Topics