The secure_path value, if set, will be used as PATH environment variable for the commands you run using sudo.
That means, when you run e.g. sudo apt update, the system will try to look up the command apt in the directories specified in the secure_path, in the specified order.
Now if you add a directory to which non-root users have write access to the secure_path, you can do it in two positions:
append to the end of the secure_path list, with least priority
insert at the beginning or in the middle of the secure_path list, with higher priority.
Appending to the end is almost safe if as it will not change how existing commands will be resolved, it just allows executables from a different directory to be executed without explicitly specifying their location as well. The fact that this additional directory is writeable for non-root users allows them to put malicious files in there without elevated privileges though, so you have to be careful when typing any command that is located there (willingly or by mistyping something else).
However, if you put your directory not as last element but with higher priority, the contents of that directory will shadow and override those from the locations that come after it in secure_path. For example, if you put your user directory first and it contains a (malicious?) executable named apt, the next time you run sudo apt update you will get a surprise...
I would also never directly add the home directory to any PATH or secure_path, but instead create a dedicated directory, e.g. /home/USERNAME/bin for that, which only contains the executables I want to have on my PATH and nothing else.
Conclusion:
You should not put any directories into secure_path if they are writeable for anyone except the root user. Otherwise normal users without elevated privileges (including malware or attackers compromising such an account) can put their own executables there and wait for anybody with sudo rights to accidentally (use common misspellings of frequently used commands as file names) or willingly execute it.
If you really want to do so though, try to restrict write permissions to that directory as tightly as possible, and make sure that you add the directory as last element of secure_path to prevent anything in there shadowing system executables.
Alternatives
However, the safe way would still remain to just always type out the full path to the executables outside the default secure_path if you want to run them with sudo.
You could also use a command-substitution with which to get the full path of something in your user's PATH, like
The
secure_path
value, if set, will be used asPATH
environment variable for the commands you run usingsudo
.That means, when you run e.g.
sudo apt update
, the system will try to look up the commandapt
in the directories specified in thesecure_path
, in the specified order.Now if you add a directory to which non-root users have write access to the
secure_path
, you can do it in two positions:secure_path
list, with least prioritysecure_path
list, with higher priority.Appending to the end is almost safe if as it will not change how existing commands will be resolved, it just allows executables from a different directory to be executed without explicitly specifying their location as well. The fact that this additional directory is writeable for non-root users allows them to put malicious files in there without elevated privileges though, so you have to be careful when typing any command that is located there (willingly or by mistyping something else).
However, if you put your directory not as last element but with higher priority, the contents of that directory will shadow and override those from the locations that come after it in
secure_path
. For example, if you put your user directory first and it contains a (malicious?) executable namedapt
, the next time you runsudo apt update
you will get a surprise...I would also never directly add the home directory to any
PATH
orsecure_path
, but instead create a dedicated directory, e.g./home/USERNAME/bin
for that, which only contains the executables I want to have on myPATH
and nothing else.Conclusion:
You should not put any directories into
secure_path
if they are writeable for anyone except the root user. Otherwise normal users without elevated privileges (including malware or attackers compromising such an account) can put their own executables there and wait for anybody withsudo
rights to accidentally (use common misspellings of frequently used commands as file names) or willingly execute it.If you really want to do so though, try to restrict write permissions to that directory as tightly as possible, and make sure that you add the directory as last element of
secure_path
to prevent anything in there shadowing system executables.Alternatives
However, the safe way would still remain to just always type out the full path to the executables outside the default
secure_path
if you want to run them withsudo
.You could also use a command-substitution with
which
to get the full path of something in your user'sPATH
, like