On Tue, Jun 12, 2018 at 08:00:26PM +0200, Reindl Harald wrote: > > > Am 12.06.2018 um 19:45 schrieb Daniel P. Berrangé: > > On Tue, Jun 12, 2018 at 10:20:46AM -0700, Howard Howell wrote: > >> I haven't followed all of this thread, too self busy. However there is > >> a security argument. If you have a local executable directory, then > >> the capability for malicious software to attach is wide open for that > >> user, whatever their privelege level might be. > >> > >> Most businesses that have linux in their suite, won't want a ~/.bin > >> anywhere in their organization. > > > > If a malicious attacker have privileges to create/modify $HOME/.bin/foo, > > then they will also have privileges to modify $HOME/.bashrc to add any > > directory they wish to $PATH. So that security argument doesn't hold water > > bullshit - man chattr > > [root@srv-rhsoft:~]$ touch /home/harry/.bashrc > touch: setting times of '/home/harry/.bashrc': Operation not permitted > > so and now tell me how you override "ls" on my system until some fool > adds a user-writeable directory in front of $PATH i am not aware
If you're willing to make custom modifications to prevent user writing to their own $HOME, then there's no reason why you can't set a different $PATH or also use chattr to prevent use of $HOME/.local/bin. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/DRUSEEQWQU6LJB3747D4RCYHWM3ZIOVE/
