I saw safe-rm (the package) installed in Kicksecure and was trying to test that when I discovered that my PATH doesn’t actually contain it:
% echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
A bit of digging led me to this line in /etc/zsh/zshrc
## Use root path from /etc/profile so programs in /sbin are highlighted in green
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Since zshrc runs after zprofile, this line, upon each interactive zsh shell, overwrites all PATH modifications done so far, including /etc/profile.d/safe-rm.sh, which I believe was sourced much earlier by greetd upon login. (Even if I copy / symlink this file to /etc/zprofile.d, the modifications to PATH still won’t survive the line in zshrc above.)
Per self-support-first policy, I tried to workaround this myself, but I wasn’t able to undo this in ~/.zshrc. Despite home being sourced later than etc, once the PATH is overwritten there’s no easy way to restore it or even know the previous value. I thought about editing /etc/zsh/zshrc but once I do this I’ll miss all future Kicksecure updates to this file, which may bring more security or usability features. I also thought about hard-coding my own PATH but that won’t reflect future changes to /etc/profile.d and /etc/zprofile.d automatically.
I also believe this problem is specific to Kicksecure (and Whonix) since this file came from one of Kicksecure APT packages, usability-misc. This problem is not reproducible in Debian.
Q: As a user, is there a good (clean) way to workaround this and preserve $PATH, or should this be patched by the Kicksecure distro?
One final thought: How important / useful is it to highlight programs in /sbin in green? Those are programs I normally won’t invoke unless with sudo. But sudo <command> makes the whole line magenta so the green won’t show anyway.
ZSH_HIGHLIGHT_PATTERNS+=('sudo*' 'fg=magenta')