$HOME/.local/bin in $PATH

drago01 drago01 at gmail.com
Sat Nov 2 09:22:50 UTC 2013 

On Fri, Nov 1, 2013 at 11:54 PM, Christopher <ctubbsii at apache.org> wrote:
> On Fri, Nov 1, 2013 at 5:38 AM, drago01 <drago01 at gmail.com> wrote:
>> On Fri, Nov 1, 2013 at 10:26 AM, Andrew Haley <aph at redhat.com> wrote:
>>> On 10/30/2013 10:27 AM, Alec Leamas wrote:
>>>> On 2013-10-30 11:23, Reindl Harald wrote:
>>>>> Am 30.10.2013 11:20, schrieb Alec Leamas:
>>>>>> On 2013-10-30 10:58, Reindl Harald wrote:
>>>>>>> Am 30.10.2013 10:53, schrieb Alec Leamas:
>>>>>>>> Some kind of reference for the bad in having a well-known, hidden directory in the path?
>>>>>>> the *writeable for the user* is the problem
>>>>>> Any reference for this problem?
>>>>> what about consider the implications?
>>>>> do you really need a written reference for any security relevant fact?
>>>>> i can write one for you if you prefer links :-)
>>>>>
>>>> Well, the question is really if someone else out there share your
>>>> concerns about this.
>>>
>>> Why does it matter?  A hidden directory in everyone's path is obviously
>>> useful to an attacker, and (IMO) more useful to an attacker than to a user.
>>
>> The attacker needs to be able to write to your home directory to take
>> advantage of it.
>> And if he can do that (you lost) he has numerous other ways of doing it.
>
> You seem to be saying that attackers don't make decisions based on the
> probability of getting caught, or based on the level of visibility
> their actions might incur. There's a reason why muggers tend to mug at
> night, thieves are more likely to sneak in an unlocked door than break
> a window, and malware renames files to look innocuous: the less
> visible, the more effective they are able to not get caught and
> continue to exploit.
>
> Now, we could argue that ~/.local/bin is *just as* visible as ~/bin,
> because they are both on the PATH,

Sorry but I still don't by the visible argument. Do you really do
check what is inside ~/bin
before running every command? Even if you do that I do not need a
survey to claim that a
majority of user simply do not do that.

More information about the devel mailing list