zshenv: avoid placing empty components in PATH; reorder root's PATH

zsh treats an empty PATH component ("::") as ".", which creates a
security hole. Sanitize PATH by explicitly removing empty
components.

As agreed on #grml, root's PATH should also list /usr/local/sbin
and /usr/local/bin before /sbin, /bin, /usr/sbin and /usr/bin;
and there is no harm in adding $HOME/bin unconditionally as the
first PATH component.

diff --git a/etc/zsh/zshenv b/etc/zsh/zshenv
index 954ca38..d696b56 100644 (file)
--- a/etc/zsh/zshenv
+++ b/etc/zsh/zshenv
@@ -90,17 +90,21 @@ if (( EUID != 0 )); then
   )
 else
   path=(
+    $HOME/bin
+    /usr/local/sbin
+    /usr/local/bin
     /sbin
     /bin
     /usr/sbin
     /usr/bin
-    /usr/local/sbin
-    /usr/local/bin
     "${ADDONS}"
     "${path[@]}"
   )
 fi
 
+# remove empty components to avoid '::' ending up + resulting in './' being in $PATH
+path=( "${path[@]:#}" )
+
 typeset -U path
 
 # less (:=pager) options: