Adding ~/.local/bin to default PATH
Bryn M. Reeves
bmr at redhat.com
Thu Jul 28 12:00:28 UTC 2011
On 07/28/2011 12:54 PM, Bernd Stramm wrote:
> On Thu, 28 Jul 2011 11:24:48 +0100
> "Bryn M. Reeves" <bmr at redhat.com> wrote:
>> There are already quite a few things that may place executables
>> under . prefixed paths in home. Java web start (javaws) for instance
>> will install an entire jre under .java/deployment/cache, wine has for
>> many years installed Windows executables (that can be executed by the
>> system) under .wine, browser plugins may be installed
>> to .mozilla/plugins and are just as capable of performing "evil"
>> actions as an executable (e.g. drop a malicious plugin that hijacks
>> some common MIME types, do your $evil and then wrap the intended
>> plugin).
>>
>> There are various other examples - on an older release I find 171
>> such files under ~/:
>>
>> $ find $(l. | egrep -v '\.$|\.\.$') -type f -perm /111 | wc -l
>> 171
>
> This is no excuse to add to a bad habit.
I'm not using it as an excuse for anything but I do think it is evidence that
the security implications being bandied around in this thread are rather
overblown; as others have said an attacker that can write to these locations is
/already/ a problem.
Using ~/.local (or any other path in home) doesn't make that any better or worse.
Regards,
Bryn.
More information about the devel
mailing list