amazon-linux-2023 icon indicating copy to clipboard operation
amazon-linux-2023 copied to clipboard
verified publisher icon amazonlinux

[Bug] - Ensure root PATH Integrity

Open venkateshkonada opened this issue 9 months ago • 2 comments

Describe the bug

CIS Benchmark flagged the AL2023 instance with below high finding. The root user can execute any command on the system and could be fooled into executing programs unintentionally if the PATH is not set correctly.

https://www.tenable.com/audits/items/CIS_Amazon_Linux_2023_v1.0.0_L1_Server.audit:abcd8cdbcc5332f9ec11c6c38a52e414

To Reproduce Steps to reproduce the behavior: a. Launch Amazon Linux 2023 instance b. Run the following script to verify the results

` #!/bin/bash

RPCV="$(sudo -Hiu root env | grep '^PATH' | cut -d= -f2)" echo "$RPCV" | grep -q "::" && echo "root's path contains a empty directory (::)" echo "$RPCV" | grep -q ":$" && echo "root's path contains a trailing (:)" for x in $(echo "$RPCV" | tr ":" " "); do if [ -d "$x" ]; then ls -ldH "$x" | awk '$9 == "." {print "PATH contains current working directory (.)"} $3 != "root" {print $9, "is not owned by root"} substr($1,6,1) != "-" {print $9, "is group writable"} substr($1,9,1) != "-" {print $9, "is world writable"}' else echo "$x is not a directory" fi done

`

Expected behavior /root/.local/bin is not a directory /root/bin is not a directory /var/lib/snapd/snap/bin is not a directory

Server (please complete the following information):

  • OS: Amazon Linux 2023
  • Kernel : 6.1.128-136.201.amzn2023.x86_64

Additional context Its seems /etc/skel/bashrc and /etc/bashrc set the home directory in the PATH environment variable for the root user.

if ! [[ "$PATH" =~ "$HOME/.local/bin:$HOME/bin:" ]] then PATH="$HOME/.local/bin:$HOME/bin:$PATH" fi export PATH

this issue is reported on all Amazon Linux 2023 flavors, including EKS, EMR, however similar issue not found on Amazon Linux 2.

unsure how the /var/lib/snapd/snap/bin path is set, however the flagged paths does not exists on the server.

venkateshkonada avatar Mar 12 '25 20:03 venkateshkonada

@venkateshkonada unsure how the /var/lib/snapd/snap/bin path is set ...look into /etc/sudoers for details:

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin

elsaco avatar Mar 13 '25 01:03 elsaco

Thank you @elsaco , that helps.

could we update the bashrc for root, UID=0 in /etc/skel/bashrc or comment the following lines in /root/.bashrc if ! [[ "$PATH" =~ "$HOME/.local/bin:$HOME/bin:" ]] then PATH="$HOME/.local/bin:$HOME/bin:$PATH" fi export PATH

venkateshkonada avatar Mar 14 '25 15:03 venkateshkonada