| 1 |
On Saturday 03 June 2006 16:11, znx <znxster@×××××.com> wrote about 'Re: |
| 2 |
[gentoo-user] bash wizardry needed: PATH and MANPATH grow and grow and |
| 3 |
grow': |
| 4 |
> On 27/05/06, Kevin O'Gorman <kogorman@×××××.com> wrote: |
| 5 |
> > Open to debate. I'd think it's not very dangerous at the *end* of |
| 6 |
> > the PATH. |
| 7 |
> |
| 8 |
> True, I have modified the script so that a . may enter the PATH (etc) |
| 9 |
> only as the final entry. Also good point about ~/bin .. it is just as |
| 10 |
> dangerous. |
| 11 |
|
| 12 |
Actually, it's not as dangerous. ~/bin is a well-known location that is |
| 13 |
(normally) only writable by the user themselves. '.' is a floating |
| 14 |
location, that may (from time to time) refer to a directory that is |
| 15 |
world-writable like /tmp, /var/tmp, or /dev/shm. |
| 16 |
|
| 17 |
Having '.' in your path allows arbitrary guest users to run programs with |
| 18 |
your permissions. Putting it at the end of your PATH prevents them from |
| 19 |
shadowing existing commands, but doesn't prevent them from taking |
| 20 |
advantage of typos. |
| 21 |
|
| 22 |
Having ~/bin or even just ~ in your PATH does not open this security hole |
| 23 |
unless you also make that directory world writable. |
| 24 |
|
| 25 |
-- |
| 26 |
"If there's one thing we've established over the years, |
| 27 |
it's that the vast majority of our users don't have the slightest |
| 28 |
clue what's best for them in terms of package stability." |
| 29 |
-- Gentoo Developer Ciaran McCreesh |
Archives