On 11/01/2013 10:48 AM, Reindl Harald wrote:
Am 01.11.2013 10:38, schrieb drago01:
On Fri, Nov 1, 2013 at 10:26 AM, Andrew Haley <a...@redhat.com> wrote:
On 10/30/2013 10:27 AM, Alec Leamas wrote:
On 2013-10-30 11:23, Reindl Harald wrote:
Am 30.10.2013 11:20, schrieb Alec Leamas:
On 2013-10-30 10:58, Reindl Harald wrote:
Am 30.10.2013 10:53, schrieb Alec Leamas:
Some kind of reference for the bad in having a well-known, hidden directory in
the path?
the *writeable for the user* is the problem
Any reference for this problem?
what about consider the implications?
do you really need a written reference for any security relevant fact?
i can write one for you if you prefer links :-)
Well, the question is really if someone else out there share your
concerns about this.
Why does it matter? A hidden directory in everyone's path is obviously
useful to an attacker, and (IMO) more useful to an attacker than to a user.
The attacker needs to be able to write to your home directory to take
advantage of it.
And if he can do that (you lost) he has numerous other ways of doing it
so the people decided not put the current directory in the
PATH on Unix *for security reasons* decades ago must be
fools and if you would have been born as this happened you
would have told them "forget it, in that case you are lost"
Was that even for security reasons?
Anyway, how this is relevant to this discussion? How does a static,
well-known (maybe not to you so far) bin directory compare to the danger
of . PATH and, say, a rootkit in /tmp/cp?
heroic attitude :-)
*yes* you have lost and in doubt in this situation the
interesting thing is how large the impact becomes
Users of a multi-user system get to customize their system without
having to bother a sysadmin, and without seeing technical details of
that's accompished mixed with their ~/Photos and ~/Documents.
What impact did *you* have in mind?
--
Petr³
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
