Why should not I add current directory to PATH in Linux?

In summary, adding the current directory to the $PATH variable can lead to security vulnerabilities, as it allows malicious users to execute potentially harmful commands from the current directory. This can be mitigated by placing the current directory at the end of $PATH rather than the beginning. This was demonstrated in the example given, where a sneaky ls command in the current directory was executed instead of the authentic one in the /bin directory.
  • #1
shivajikobardan
674
54
TL;DR Summary
Why should not I add current directory to PATH in Linux?
1686407676824.png

I get that if I put current directory in PATH like said above, I can execute commands from any directory. But what's the problem in that? How's other person able to come and execute it? Why does it makes system unsecure compared to the case where we don't put current directory to PATH? Can you explain the example he's telling?
 
Technology news on Phys.org
  • #2
To make his example more explicit, suppose that the directory you're currently in, has a program (put there by some sneaky person) named ls, that reformats your disk, or encrypts it with a secret password, or something like that. You decide to find out what files are in the directory, and type the usual ls command. It runs the sneaky ls instead of the normal ls command which is something like /usr/bin/ls.
 
  • Like
Likes shivajikobardan
  • #3
In that example, the system will look in the current directory before looking in /bin or /usr/bin. It will therefore run the dodgy ./ls rather than the authentic /bin/ls. And the malicious user can modify ./ls so it doesn't list itself when imitating the output of /bin/ls.

This can be mitigated by placing . at the end of $PATH rather than the beginning.
 
  • #4
pasmith said:
In that example, the system will look in the current directory before looking in /bin or /usr/bin. It will therefore run the dodgy ./ls rather than the authentic /bin/ls. And the malicious user can modify ./ls so it doesn't list itself when imitating the output of /bin/ls.

This can be mitigated by placing . at the end of $PATH rather than the beginning.
thank you. I got this now.
 

Related to Why should not I add current directory to PATH in Linux?

1. Why should I not add the current directory to PATH in Linux?

Adding the current directory to your PATH in Linux can pose a security risk as it allows for the execution of potentially malicious scripts or binaries in your current directory without specifying their full path.

2. Can adding the current directory to PATH cause conflicts with system binaries?

Yes, adding the current directory to your PATH can potentially cause conflicts with system binaries if a script or binary in your current directory has the same name as a system binary. This can lead to unintended consequences or security vulnerabilities.

3. How can I run scripts or binaries in the current directory without adding it to PATH?

You can run scripts or binaries in the current directory by specifying the full path to the script or binary when executing it. For example, to run a script called "myscript.sh" in the current directory, you can use "./myscript.sh" to execute it.

4. Are there any alternative ways to avoid adding the current directory to PATH?

Yes, you can create a separate directory for your scripts or binaries and add that directory to your PATH instead of the current directory. This helps to keep your system organized and reduces the risk of executing malicious scripts or binaries inadvertently.

5. What are the best practices for managing the PATH environment variable in Linux?

It is recommended to only add directories containing trusted scripts or binaries to your PATH in Linux. Avoid adding the current directory or directories with untrusted content to your PATH to minimize security risks and prevent conflicts with system binaries.

Similar threads

Python Why is a temporary directory created when using the Python library matplotlib?
    • Programming and Computer Science
Replies
9
Views
3K
Troubleshooting CMD: Issue with Running .exe Files Using PATH
    • Computing and Technology
Replies
19
Views
2K
Small confusion about redirection in Linux
    • Programming and Computer Science
Replies
10
Views
1K
Mysqld command does not start the MySQL Server
    • Programming and Computer Science
Replies
12
Views
9K
Why do many applications come with their own terminal instead of using the native shell?
    • Programming and Computer Science
Replies
3
Views
789
How did early compilers overcome the need for a compiler to compile itself?
    • Programming and Computer Science
Replies
6
Views
1K
What do you think of Windows Subsystem for Linux (WSL)?
    • Computing and Technology
Replies
12
Views
4K
Lunatic program on Linux and Smaky ?
    • Programming and Computer Science
Replies
1
Views
2K
Requesting suggestions for languages, libraries, and architectures for parallel (and sometimes non parallel) numerical and scientific computations
    • Programming and Computer Science
Replies
8
Views
2K
MinGW/MSYS problem with search path
    • Programming and Computer Science
Replies
2
Views
5K

Hot Threads

Recent Insights

Back
Top