On Wed, May 2, 2018 at 6:44 AM Miro Hrončok <mhron...@redhat.com> wrote:
> On 2.5.2018 15:30, Stephen Gallagher wrote: > > Does anyone see a reason not to prioritize ~/.local/bin over > /usr/bin? > > > > > > Yes, if a user's account is compromised (or any service running as > > them), it's REALLY easy to drop faked tools into a user-private > > directory and override critical system tools (like replacing 'bash' with > > a keylogger). > > If user's account is compromised, user's PATH can be changed. IMHO the > provided argument is not valid. > > There are a lot of ways where their account can be compromised without having complete session access. If they're running a web-connected application as their user, that application could be compromised to write a file to disk. If that file can now supersede the system copy, they have now escalated the degree of the compromise.
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org