Is it safe to add . to my PATH? How come?

If you're the only user on the machine it's okay, as long as you know what you're doing. The general concern is that by having your current directory in PATH, you cannot see commands as a constant list. If you need to run a script/program from your current directory, you can always explicitly run it by prepending ./ to its name (you telling the system "I want to run this file from my current directory").

Say, now you have all these little scripts all over your filesystem; one day you'll run the wrong one for sure. So, having your PATH as a predefined list of static paths is all about order and saving oneself from a potential problem.

However, if you're going to add . to your PATH, I suggest appending it to the end of the list (export PATH=$PATH:.). At least you won't override system-wide binaries this way.

If you're a root on the system and have system exposed to other users' accounts, having . in PATH is a huge security risk: you can cd to some user's directory, and unintentionally run a malicious script there only because you mistyped a thing or script that has the same name as a system-wide binary.


The risk is someone put a malicious executable in the directory that happen to be your current one.

The worst case happen when:

  • you are logged as root as the malicious command has unlimited damage power
  • . is at the beginning of your PATH as standard commands can be overridden without you noticing it (typically an ls which could hide itself from the list).

The risk is much lower if you are logged as a regular user and have the . at the end of your PATH but it still exists:

  • someone might find out you frequently mistype a command and install a matching one
  • someone might install a fake command with the name of one that is not installed.

Note that in any case, the risk is still there even if you are the only user of the machine. Malicious software would be installed if, for example, you happen to extract an archive downloaded from a compromised site.


Even if you are always very careful with what you type, putting . to your PATH, even at the end, is still insecure because some programs change the current directory to /tmp (which is world writable) and may also try execute utilities that are actually not installed, thus defaulting to what is in /tmp. If this occurs, this is a vector of attack.

Note also that there isn't much drawback of avoiding . in PATH, because ./ is easy to type (in particular on keyboards like QWERTY, where these characters are on consecutive keys and do not need Shift) and using ./ will also help completion, thus potentially saving keystrokes at the end.

If you really want to be able to type commands from the current directory, then modern shells (like zsh, with its command_not_found_handler) may provide features to do that safely, i.e. allowing you to add all the security checks you want in the handler, before the command is executed.

Tags:

Path