Adding ~/.local/bin to default PATH
Alexander Boström
abo at root.snowtree.se
Thu Jul 28 05:27:14 UTC 2011
On ons, 2011-07-27 at 21:59 +0200, Marc-André Lureau wrote:
>
> I don't understand the security risks. If something is allowed to
> write to ~/.local/bin (or ~/bin etc..), then surely it's able to read
> elsewhere or do something else nasty. Could someone detail it?
Also, consider that the attacker would need to be able to set the mode
of the file to executable, which is not required for .bash*. Since it's
at the end of PATH, they would have to install a binary that doesn't
exist in /usr/bin already and then trick the user to run it at some
later point. Too complicated when there are so many much easier attack
points in the home directory.
Oh, and why should .bashrc be hidden? Some attacker might hide code
there! (See where I'm getting here?)
The security argument is _bogus_ and splitting hairs in any case.
Btw, if it's wrong to promote ~/.local/bin, then why should ~/bin be
there by default?
/Alexander
More information about the devel
mailing list