Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hash: SHA1

On Tue, 11 Nov 2003 15:20:48 +0900
Derek Martin <invalid at> wrote:

> On Tue, Nov 11, 2003 at 03:09:21AM +0000, dsr at wrote:
> > Let's add another safety tip: don't add . to $PATH for normal users,
> > but do add ~/bin, and use the /etc/rc.skel or equivalent to create
> > ~/bin for all new users. When people want to add special commands,
> > putting them in their local bin is The Right Thing To Do.
> That SEEMS like a good idea, but it's actually worse than having '.'
> in the user's path.  Why?  Because the user can almost certainly write
> files to ~/bin.  This means that, say, someone exploiting a hole in
> Mozilla could make your browser write their malicious script into
> ~/bin and make it executable.  Now you have a much more likely attack
> vector, since that directory is also in the user's PATH.  Bad bad bad.
> Red Hat used to set ~/bin up, by default.  They don't anymore.  :)
> Never put user-writable directories in the PATH.  If you're going to
> ignore that, and/or put '.' in the PATH, be sure to at least put them
> in LAST.
BTW: Instead of using ~/bin in the PATH variable, use $HOME/bin. While
these are effectively the same thing, ~ is not recognized by the Bourne
shell (but is recognized by most others including BASH, KSH, CSH and

- -- 
Jerry Feldman <gaf at>
Boston Linux and Unix user group PGP key id:C5061EA9
PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)


BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /