1 |
On Saturday 03 June 2006 16:11, znx <znxster@×××××.com> wrote about 'Re: |
2 |
[gentoo-user] bash wizardry needed: PATH and MANPATH grow and grow and |
3 |
grow': |
4 |
> On 27/05/06, Kevin O'Gorman <kogorman@×××××.com> wrote: |
5 |
> > Open to debate. I'd think it's not very dangerous at the *end* of |
6 |
> > the PATH. |
7 |
> |
8 |
> True, I have modified the script so that a . may enter the PATH (etc) |
9 |
> only as the final entry. Also good point about ~/bin .. it is just as |
10 |
> dangerous. |
11 |
|
12 |
Actually, it's not as dangerous. ~/bin is a well-known location that is |
13 |
(normally) only writable by the user themselves. '.' is a floating |
14 |
location, that may (from time to time) refer to a directory that is |
15 |
world-writable like /tmp, /var/tmp, or /dev/shm. |
16 |
|
17 |
Having '.' in your path allows arbitrary guest users to run programs with |
18 |
your permissions. Putting it at the end of your PATH prevents them from |
19 |
shadowing existing commands, but doesn't prevent them from taking |
20 |
advantage of typos. |
21 |
|
22 |
Having ~/bin or even just ~ in your PATH does not open this security hole |
23 |
unless you also make that directory world writable. |
24 |
|
25 |
-- |
26 |
"If there's one thing we've established over the years, |
27 |
it's that the vast majority of our users don't have the slightest |
28 |
clue what's best for them in terms of package stability." |
29 |
-- Gentoo Developer Ciaran McCreesh |