On Wed 09 Aug 2017 at 18:04:56 (+0200), Gian Uberto Lauri wrote: > Having ~/bin before /bin and /usr/bin (and /usr/local/bin) is of no > harm at all if your account is safe enough. > > If and only if someone can log on with your account, she can put a > malicious copy/wrapper of a system command (ls to name one) in your > bin and you could trigger it thinking to use the system version. > > What *is* dangerous is having . before system directories, especially > on multi-user machines. > > In this scenario, user A, who has . in the path before /bin, goes in a > directory of user B and does an 'ls'. > > That directory contains an executable called ls that is smart enough > to hide itself. But bastard enough to do something nasty, a Trojan > horse. And user A just brought it within the walls...
While putting . _anywhere_ in PATH would be stupid, there is a more insidious trap for the unaware, namely mistaking : for a delimiter instead of a separator. An extra colon (anywhere) will yield a null entry. A null entry in PATH is treated as the current directory. Examples: foo:bar: foo::bar :foo:bar and obviously :foo:bar: Cheers, David.