$HOME/.local/bin in $PATH
mitr at volny.cz
Fri Nov 1 19:55:21 UTC 2013
On Fri, Nov 1, 2013 at 7:12 PM, Andrew Haley <aph at redhat.com> wrote:
> On 11/01/2013 09:38 AM, drago01 wrote:
>> The attacker needs to be able to write to your home directory to
>> take advantage of it. And if he can do that (you lost) he has
>> numerous other ways of doing it.
> That is true. However, there is an advantage to this one for the
> attacker: the user probably doesn't know it's there.
I don't think this in practice matters _for security_: Even the
users that know ~/bin exists are extremely unlikely to be regularly
checking its contents to see whether a malicious file hasn't been
> It's a matter of the attack surface: the 'sum of the different points
> (the "attack vectors") where an unauthorized user (the "attacker") can
> try to enter.' [Wikipedia]
In all of the scenarios we've been talking about, the attack has
already _succeeded_; there is no longer any relevant attack surface
 It might matter for troubleshooting.
 Possible privilege escalations attacks to get root's or other
user's permissions are irrelevant to our discussion.
More information about the devel