On Tue, Jun 12, 2018 at 7:10 AM, Tomasz Kłoczko <kloczko.tom...@gmail.com> wrote:
> Just FTR: So far I was unable to find in any of the fredesktop.org or > other specs (https://www.freedesktop.org/wiki/Software/) things like > requirement use /usr/local{bi,sbin} or ~.local/bin in $PATH (and > especially on the front of thes env variable). I would be really glad > to find original reason why paths like /usr/local{bi,sbin} have been > added to OOTB $PATH and why someone has been thinking that those paths > should be added on the front of the $PATH. Most of them aren't worried enough about it, or don't have enough history to see underlying problems. Most think, and I'm pretty sure of this, that you've gotten the security explanations done repeatedly and seem to have ignored them. They're certainly not actually spelled out in your analysis. The simple fact is that "sudo" inherits $HOME and $PATH by default. Your proposed change would make privilege escalation attacks against sudo users much more trivial by opening up the attack surface for every binary in /bin or /usr/bin to be replaced by a local binary in ~/.local/bin/. The situation you're trying to resolve, where a powerful binary has intermingled components that may or not be matched by system components, has been resolved repeatedly by tools like rvm and pyvenv, by setting up a specific directory *not* enabled by default, but making setup for that less default enabled tool easy for the user to enable on a case by case basis. So, the risk of your change is high for others, the consequences are potentially *disastrous*, and you've already got workarounds for your particular needs *without* touching other system behavior If you really want it for youself as a user, which I do not recommend for such a tool, well, you can insist on doing it for your own individual needs on a case by case basis. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/QHIKORMDVMA4JNRKYLO2M7LLLAY25R3U/
