🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

1. 🔵 Untrusted PATH search when invoking systemctl enables binary hijacking under elevated execution

Description

The daemon utilities invoke systemctl by name (not absolute path) via execFile, which relies on PATH lookup.

• execSystemctl() calls execFileUtf8("systemctl", ...).
• execFile does not use a shell (good), but it does resolve the executable using the current process PATH.
• In multiple flows (including isSystemdServiceEnabled), this can run while the process is invoked under sudo (the code explicitly detects SUDO_USER and changes behavior). If a privileged invocation occurs with an attacker-influenced PATH (e.g., sudo -E, misconfigured secure_path, or a service/unit that sets PATH to include a user-writable directory), an attacker can place a malicious systemctl earlier in PATH and gain code execution with the privileges of the OpenClaw process.

Vulnerable code:

async function execSystemctl(args: string[]): Promise<{ stdout: string; stderr: string; code: number }> {
  return await execFileUtf8("systemctl", args);
}

And used from:

const res = await execSystemctlUser(env, ["is-enabled", unitName]);

Recommendation

Mitigate executable-hijacking by avoiding PATH resolution for privileged command execution.

Recommended approaches (pick one):

1. Use an absolute path to systemctl (and optionally verify it is owned by root and not writable):

const SYSTEMCTL_PATH = "/usr/bin/systemctl"; // or detect from a small allowlist
return await execFileUtf8(SYSTEMCTL_PATH, args, {
  env: {
    ...process.env,
    PATH: "/usr/sbin:/usr/bin:/sbin:/bin",
  },
});

2. Provide a hardened environment to execFile (at minimum, set a safe PATH) and avoid inheriting potentially unsafe values when running under sudo/root.

Additionally, consider inserting -- before the unit name in calls like systemctl ... is-enabled -- <unit> to defensively prevent any option-like unit name from being parsed as a flag.

Analyzed PR: #38819 at commit 38f618c

_{Last updated on: 2026-03-07T12:17:58Z}

Greptile Summary

This PR fixes a fresh-install failure where systemctl --user is-enabled was called before OpenClaw's managed unit file existed, causing distro-dependent child-process errors to bubble up as install failures. The fix adds an existence check for the unit file via fs.access at the top of isSystemdServiceEnabled, returning false immediately on ENOENT (service not yet installed) without invoking systemctl, while still rethrowing any other filesystem errors.

Key changes:

• src/daemon/systemd.ts: Early-return on ENOENT from fs.access(resolveSystemdUnitPath(env)) before calling systemctl is-enabled. Also fixes a subtle pre-existing inconsistency where resolveSystemdServiceName was passed args.env ?? {} instead of the fully-resolved env (args.env ?? process.env), ensuring the service name and unit file path always resolve from the same environment.
• src/daemon/systemd.test.ts: Adds vi.restoreAllMocks() to beforeEach to properly clean up fs spies, introduces mockManagedUnitPresent() helper, and adds a dedicated test asserting that execFileMock is never called when the unit file is absent. All affected tests now mock fs.access and provide HOME env variable for proper path resolution.

Confidence Score: 4/5

• Safe to merge—targeted, well-tested fix with correct error handling and no regressions to existing behavior.
• The change is narrow in scope (one function, one new guard clause), correctly handles all error codes (ENOENT → silent false, everything else → rethrow), preserves all existing systemctl error-handling paths, and is backed by a new dedicated test plus updates to all affected existing tests. The subtle env-consistency fix is a clear improvement with no downside.
• No files require special attention.

_{Last reviewed commit: 38f618c}

Landed via temp rebase onto main.

• Gate: pnpm tsgo && pnpm test --run src/daemon/systemd.test.ts src/cli/daemon-cli/install.integration.test.ts
• Land commit: 38f618c34af5b263996d95cc6330f864db90e2f2
• Merge commit: 26c9796