From: Dr. András Korn <korn-github.com@elan.rulez.org>
Date: Mon, 1 Jun 2015 09:12:40 +0000 (+0200)
Subject: zshenv: avoid placing empty components in PATH; reorder root's PATH
X-Git-Tag: v0.12.0~3
X-Git-Url: https://git.grml.org/?p=grml-etc-core.git;a=commitdiff_plain;h=69488205afe631b2d9489d0941d3290e1577faf9

zshenv: avoid placing empty components in PATH; reorder root's PATH

zsh treats an empty PATH component ("::") as ".", which creates a
security hole. Sanitize PATH by explicitly removing empty
components.

As agreed on #grml, root's PATH should also list /usr/local/sbin
and /usr/local/bin before /sbin, /bin, /usr/sbin and /usr/bin;
and there is no harm in adding $HOME/bin unconditionally as the
first PATH component.
---

diff --git a/etc/zsh/zshenv b/etc/zsh/zshenv
index 954ca38..d696b56 100644
--- a/etc/zsh/zshenv
+++ b/etc/zsh/zshenv
@@ -90,17 +90,21 @@ if (( EUID != 0 )); then
   )
 else
   path=(
+    $HOME/bin
+    /usr/local/sbin
+    /usr/local/bin
     /sbin
     /bin
     /usr/sbin
     /usr/bin
-    /usr/local/sbin
-    /usr/local/bin
     "${ADDONS}"
     "${path[@]}"
   )
 fi
 
+# remove empty components to avoid '::' ending up + resulting in './' being in $PATH
+path=( "${path[@]:#}" )
+
 typeset -U path
 
 # less (:=pager) options: