./
Derek Martin
invalid at pizzashack.org
Tue Nov 11 01:20:48 EST 2003
On Tue, Nov 11, 2003 at 03:09:21AM +0000, dsr at tao.merseine.nu wrote:
> Let's add another safety tip: don't add . to $PATH for normal users,
> but do add ~/bin, and use the /etc/rc.skel or equivalent to create
> ~/bin for all new users. When people want to add special commands,
> putting them in their local bin is The Right Thing To Do.
That SEEMS like a good idea, but it's actually worse than having '.'
in the user's path. Why? Because the user can almost certainly write
files to ~/bin. This means that, say, someone exploiting a hole in
Mozilla could make your browser write their malicious script into
~/bin and make it executable. Now you have a much more likely attack
vector, since that directory is also in the user's PATH. Bad bad bad.
Red Hat used to set ~/bin up, by default. They don't anymore. :)
Never put user-writable directories in the PATH. If you're going to
ignore that, and/or put '.' in the PATH, be sure to at least put them
in LAST.
--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.
Replying to it will result in undeliverable mail.
Sorry for the inconvenience. Thank the spammers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/20031111/25fa30e3/attachment.sig>
More information about the Discuss
mailing list