$HOME/.local/bin in $PATH

[Reindl Harald]

Am 01.11.2013 10:38, schrieb drago01:
> On Fri, Nov 1, 2013 at 10:26 AM, Andrew Haley <aph at redhat.com> wrote:
>> On 10/30/2013 10:27 AM, Alec Leamas wrote:
>>> On 2013-10-30 11:23, Reindl Harald wrote:
>>>> Am 30.10.2013 11:20, schrieb Alec Leamas:
>>>>> On 2013-10-30 10:58, Reindl Harald wrote:
>>>>>> Am 30.10.2013 10:53, schrieb Alec Leamas:
>>>>>>> Some kind of reference for the bad in having a well-known, hidden directory in the path?
>>>>>> the *writeable for the user* is the problem
>>>>> Any reference for this problem?
>>>> what about consider the implications?
>>>> do you really need a written reference for any security relevant fact?
>>>> i can write one for you if you prefer links :-)
>>>>
>>> Well, the question is really if someone else out there share your
>>> concerns about this.
>>
>> Why does it matter?  A hidden directory in everyone's path is obviously
>> useful to an attacker, and (IMO) more useful to an attacker than to a user.
> 
> The attacker needs to be able to write to your home directory to take
> advantage of it.
> And if he can do that (you lost) he has numerous other ways of doing it

so the people decided not put the current directory in the
PATH on Unix *for security reasons* decades ago must be
fools and if you would have been born as this happened you
would have told them "forget it, in that case you are lost"

heroic attitude :-)

*yes* you have lost and in doubt in this situation the
interesting thing is how large the impact becomes




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20131101/38ec554f/attachment.sig>