On 07/27/2011 10:09 PM, Reindl Harald wrote: > > > Am 27.07.2011 21:59, schrieb Marc-André Lureau: >> I don't understand the security risks. If something is allowed to >> write to ~/.local/bin (or ~/bin etc..), then surely it's able to read >> elsewhere or do something else nasty. Could someone detail it? > > Depends on the PATH-Order
yes, and if attacker wants to do something, there are better options than putting 'ls' file in ~/.local/bin or ~/bin, which will be executed only if global ls is missing. If he can put file somewhere, why don't just write ~/.bash_profile with own content? you can change PATH, aliases, add there 'ls' function or anything else you want... -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
