./

Tue Nov 11 08:00:27 EST 2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 11 Nov 2003 15:20:48 +0900
Derek Martin <invalid at pizzashack.org> wrote:

> On Tue, Nov 11, 2003 at 03:09:21AM +0000, dsr at tao.merseine.nu wrote:
> > Let's add another safety tip: don't add . to $PATH for normal users,
> > but do add ~/bin, and use the /etc/rc.skel or equivalent to create
> > ~/bin for all new users. When people want to add special commands,
> > putting them in their local bin is The Right Thing To Do.
> 
> That SEEMS like a good idea, but it's actually worse than having '.'
> in the user's path.  Why?  Because the user can almost certainly write
> files to ~/bin.  This means that, say, someone exploiting a hole in
> Mozilla could make your browser write their malicious script into
> ~/bin and make it executable.  Now you have a much more likely attack
> vector, since that directory is also in the user's PATH.  Bad bad bad.
> 
> Red Hat used to set ~/bin up, by default.  They don't anymore.  :)
> 
> Never put user-writable directories in the PATH.  If you're going to
> ignore that, and/or put '.' in the PATH, be sure to at least put them
> in LAST.
BTW: Instead of using ~/bin in the PATH variable, use $HOME/bin. While
these are effectively the same thing, ~ is not recognized by the Bourne
shell (but is recognized by most others including BASH, KSH, CSH and
TCSH).

- -- 
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix user group
http://www.blu.org PGP key id:C5061EA9
PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/sN1r+wA+1cUGHqkRAnomAJ0X9LE9+pfvCCIPKvzFHZ43Laj3ZgCfYe4/
djPLe7yN1IbUZXB0G97YRDQ=
=WCZX
-----END PGP SIGNATURE-----