On Mon, Jun 19, 2017 at 06:00:58PM +0200, Nicolas George wrote: > Le primidi 1er messidor, an CCXXV, Henrique de Moraes Holschuh a écrit : > > That said, no, it is not usually considered a security vulnerability, > > because NOT using the full path to run commands such as "su" and "sudo" > > in the first place IS considered gross negligence. > > If your account has been compromised so much that an attacker was able > to add something in ~/bin/, then using the full path of the commands > does not bring any extra security.
Henrique, I believe, was describing an attack that works like this: 1) Login. 2) PATH=~/bin:$PATH 3) vi ~/bin/su (insert malicious code); chmod 755 ~/bin/su 4) Call the system administrator, and get him/her to come to your desk. 5) Get the sysadmin to run "su -c something" for you at your desk. This runs your password-capturing program, which records the root password somewhere you can retrieve it after the sysadmin leaves. This is not an attack vector I had previously considered, so thanks to Henrique for pointing it out. Nevertheless, I don't think this justifies any requests to change the default PATH in /etc/skel/.profile. The attack can be carried out as described above regardless of what Debian does in /etc/skel/.