On Wed, May 3, 2017 at 5:40 PM, Nikolay Aleksandrovich Pavlov (ZyX) <kp-...@yandex.ru> wrote: [...] > If $PATH in bash contains ~ (e.g. `PATH='~/bin'`) it is incorrectly > treated > as if $HOME is present.
Hm. You can start bash in POSIX mode (https://www.gnu.org/software/bash/manual/bash.html#Bash-POSIX-Mode) if you want to disable this feature. i.e. dualbus@debian:~$ bash --posix -c 'printf "%s\n" "#!/bin/bash" "echo hi" > ~/cmd; chmod +x ~/cmd; PATH=\~; declare -p PATH; cmd' declare -x PATH="~" bash: cmd: command not found dualbus@debian:~$ bash -c 'printf "%s\n" "#!/bin/bash" "echo hi" > ~/cmd; chmod +x ~/cmd; PATH=\~; declare -p PATH; cmd' declare -x PATH="~" hi Bash's behavior here is intentional by the way, review the function find_in_path_element in http://git.savannah.gnu.org/cgit/bash.git/tree/findcmd.c?h=devel#n527, it will perform tilde expansion if the path component starts with a tilde. Perhaps it should be documented under https://www.gnu.org/software/bash/manual/bash.html#Bourne-Shell-Variables that bash treats tildes inside PATH specially. Also, I think it's a bit of a stretch to call this a security problem. The scenario you describe (a user having a directory literally named `~' with a bin subdirectory, a malicious program creating evil binaries in $HOME/bin, the user having a misconfigured PATH, ...) is highly unlikely.
