$HOME/.local/bin in $PATH

Reindl Harald h.reindl at thelounge.net
Fri Nov 1 10:14:13 UTC 2013 


Am 01.11.2013 11:08, schrieb Petr Viktorin:
> On 11/01/2013 10:48 AM, Reindl Harald wrote:
>> Am 01.11.2013 10:38, schrieb drago01:
>>> On Fri, Nov 1, 2013 at 10:26 AM, Andrew Haley <aph at redhat.com> wrote:
>>>> On 10/30/2013 10:27 AM, Alec Leamas wrote:
>>>>> On 2013-10-30 11:23, Reindl Harald wrote:
>>>>>> Am 30.10.2013 11:20, schrieb Alec Leamas:
>>>>>>> On 2013-10-30 10:58, Reindl Harald wrote:
>>>>>>>> Am 30.10.2013 10:53, schrieb Alec Leamas:
>>>>>>>>> Some kind of reference for the bad in having a well-known, hidden directory in the path?
>>>>>>>> the *writeable for the user* is the problem
>>>>>>> Any reference for this problem?
>>>>>> what about consider the implications?
>>>>>> do you really need a written reference for any security relevant fact?
>>>>>> i can write one for you if you prefer links :-)
>>>>>>
>>>>> Well, the question is really if someone else out there share your
>>>>> concerns about this.
>>>>
>>>> Why does it matter?  A hidden directory in everyone's path is obviously
>>>> useful to an attacker, and (IMO) more useful to an attacker than to a user.
>>>
>>> The attacker needs to be able to write to your home directory to take
>>> advantage of it.
>>> And if he can do that (you lost) he has numerous other ways of doing it
>>
>> so the people decided not put the current directory in the
>> PATH on Unix *for security reasons* decades ago must be
>> fools and if you would have been born as this happened you
>> would have told them "forget it, in that case you are lost"
> 
> Was that even for security reasons?

yes, Google may help here

> Anyway, how this is relevant to this discussion? How does a static, well-known (maybe not to you so far) bin
> directory compare to the danger of . PATH and, say, a rootkit in /tmp/cp?

the rootkit in /tmp/cp is in your path?

>> heroic attitude :-)
>>
>> *yes* you have lost and in doubt in this situation the
>> interesting thing is how large the impact becomes
> 
> Users of a multi-user system get to customize their system without having to bother a sysadmin, and without seeing
> technical details of that's accompished mixed with their ~/Photos and ~/Documents.

on multi-user systems it is *intentional* that the user does *not* install
software at it's own and if this should be the case the admin *one time*
will add a directory to PATH and say "there you go"

> What impact did *you* have in mind?

the *security* impact after "you have lost" happened

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20131101/3721aac4/attachment-0001.sig>

More information about the devel mailing list