Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Tue, Nov 11, 2003 at 03:09:21AM +0000, dsr at wrote:
> Let's add another safety tip: don't add . to $PATH for normal users,
> but do add ~/bin, and use the /etc/rc.skel or equivalent to create
> ~/bin for all new users. When people want to add special commands,
> putting them in their local bin is The Right Thing To Do.

That SEEMS like a good idea, but it's actually worse than having '.'
in the user's path.  Why?  Because the user can almost certainly write
files to ~/bin.  This means that, say, someone exploiting a hole in
Mozilla could make your browser write their malicious script into
~/bin and make it executable.  Now you have a much more likely attack
vector, since that directory is also in the user's PATH.  Bad bad bad.

Red Hat used to set ~/bin up, by default.  They don't anymore.  :)

Never put user-writable directories in the PATH.  If you're going to
ignore that, and/or put '.' in the PATH, be sure to at least put them
in LAST.

Derek D. Martin
This message is posted from an invalid address.
Replying to it will result in undeliverable mail.
Sorry for the inconvenience.  Thank the spammers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <>

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /