Rustup set an insecure PATH

$ echo $PATH
/home/user/.cargo/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin

Putting the users home in first section in the $PATH is insecure, it should be at the last section of the path.

An attacker that gets access to the user account can create a script named sudo on .cargo/bin, when the real user types sudo an put his password the script send the password to the attacker or setuid a shell creating a backdoor. Basically all the binaries can be hijacked.

Solution:
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin:/home/sha0/.cargo/bin

Rustup env:
# Prepending path in case a system-installed rustc needs to be overridden
export PATH="$HOME/.cargo/bin:$PATH"

functionality or security, you chose, but I consider rust as a hope in the security.

You should probably file this as an issue in the rustup repo to make sure the rustup maintainers see it.

1 Like

I sent an email to the rust security team, but I'm sure they already know it.

If an attacker gets access to the user account, they can just modify PATH to whatever they want, right?

1 Like

true, unless .bashrc and so are protected with chattr, the path issue is just an extra insecurity.

If you are concerned about such things, which is completely legitimate, you should build Rust projects as a dedicated unpriveleged user and/or in a sandbox, etc. The typical Rust build downloads dependencies from the internet and complies them, which includes running any build.rs files they have -- i.e. running arbitrary programs.

(Not saying your suggestion shouldn't be followed too.)

3 Likes

Note that if rustup put /home/user/.cargo/bin last instead of first, then it would not override a system installation of Rust.

nope, its overriding:

.cargo$ cat env
#!/bin/sh
# rustup shell setup
# affix colons on either side of $PATH to simplify matching
case ":${PATH}:" in
    *:"$HOME/.cargo/bin":*)
        ;;
    *)
        # Prepending path in case a system-installed rustc needs to be overridden
        export PATH="$HOME/.cargo/bin:$PATH"
        ;;
esac

Rustup currently puts it first, thus overriding it. @kpreid talked about what would happen if rustup was changed to put it last. In that case it won't override the system installation anymore.