Re: $HOME/.local/bin in $PATH

Wed, 30 Oct 2013 03:56:41 -0700 

On 2013-10-30 11:46, Reindl Harald wrote:


Am 30.10.2013 11:27, schrieb Alec Leamas:

On 2013-10-30 11:23, Reindl Harald wrote:

Am 30.10.2013 11:20, schrieb Alec Leamas:

On 2013-10-30 10:58, Reindl Harald wrote:

Am 30.10.2013 10:53, schrieb Alec Leamas:

On 2013-10-30 10:23, Reindl Harald wrote:

Am 30.10.2013 02:03, schrieb Chris Adams:

Once upon a time, Reindl Harald <h.rei...@thelounge.net> said:

[root@srv-rhsoft:~]$ mkdir test
i could rm -rf ~/ here

[root@srv-rhsoft:~]$ cat /usr/local/bin/mkdir
#!/bin/bash
echo "i could rm -rf ~/ here"

If I can write to files you own, it doesn't matter if there's a
directory in the PATH or not.  I can write this to your .bash_profile:

       /bin/mkdir $HOME/.bin 2> /dev/null
       echo 'echo "i could rm -rf ~/ here"' > $HOME/.bin/mkdir
       chmod +x $HOME/.bin/mkdir
       PATH=$HOME/.bin:$PATH

you can do this and that - but that's no valid argumentation
doing bad things in default setups and *at least* do not
place *hidden* diretories there, ther is a good reason why
software like rkhunter alerts if you have hidden directories
somewhere in /usr/bin/


Some kind of reference for the bad in having a well-known, hidden directory in 
the path?

the *writeable for the user* is the problem

Any reference for this problem?

what about consider the implications?
do you really need a written reference for any security relevant fact?
i can write one for you if you prefer links :-)


Well, the question is really if someone else out there share your concerns 
about this

anybody with interests in security

https://www.google.at/search?q=ssh+chroot+why+needs+the+home+directory+to+be+owned+by+root

http://binblog.info/2008/04/06/openssh-chrooted-sftp-eg-for-webhosting/
However, the chroot destination must not be owned by the user for security 
reasons


So you are arguing that $HOME should be owned by root?!  An interesting 
subject, but isn't it a little off-topic, deserving a separate thread?



--a
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct




























					Reply via email to