Re: User-level instance of /bin in PATH
On Wed, 2011-07-27 at 09:11 +0200, Nicolas Mailhot wrote: > Le mercredi 27 juillet 2011 à 00:01 -0400, Braden McDaniel a écrit : > > > Can someone explain (or point to) the rationale appending these to PATH > > rather than prepending them? I would have expected user binaries to > > supersede system ones. > > Security. You can do all kinds of mischief by overriding an (audited) > system command with a user-level command (even appending is IMHO > borderline dangerous till the usual infection/attack vectors, MUAs & > browsers have not been taught to triple-check and flag anything going > there) Oh. So, user account-level security for user accounts that have already been compromised. Right. Say no more. -- Braden McDaniel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
Le mercredi 27 juillet 2011 à 08:14 -0430, Robert Marcano a écrit : > appending helps a little, but if a security vulnerability allows a > intruder to put binaries on ~/bin, I think it will not be difficult to > overwrite .bash_profile (Unless something like SELinux is used to > protect startup shell script) And I'm sure selinux people would love to secure $home except they can only do it if its layout is fixed is stone. Which requires conventions (like xdg) with no variability (unlike xdg) -- Nicolas Mailhot -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
>> Can someone explain (or point to) the rationale appending these to PATH >> rather than prepending them? I would have expected user binaries to >> supersede system ones. > > Although there is probably only a small number of security > vulnerabilities of user applications that would allow just creating and > writing new files on a file system, nevertheless there can be some. The > attacker could then create any binary that users usually run and get a > full control of the user's account easily this way. > appending helps a little, but if a security vulnerability allows a intruder to put binaries on ~/bin, I think it will not be difficult to overwrite .bash_profile (Unless something like SELinux is used to protect startup shell script) -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
On Wed, 2011-07-27 at 00:01 -0400, Braden McDaniel wrote: > On Tue, 2011-07-26 at 08:45 -0430, Robert Marcano wrote: > > On 07/26/2011 08:36 AM, Genes MailLists wrote: > > > On 07/26/2011 08:03 AM, Misha Shnurapet wrote: > > >> 26.07.2011, 18:34, "Andrew Haley": > > >>> On 26/07/11 10:22, Misha Shnurapet wrote: > > >>> > > Since F15 ~/bin has been added to PATH, and commands that are > > supposed to run user scripts will work without changing into that > > directory. Meanwhile, ~/.local/bin isn't used. I'd like to propose > > that it is also added because technically it is ~/bin's brother. > > >>> > > >>> I've never heard of ~/.local/bin . Are there many people who use > > >>> this? ~/bin is common. > > >> > > >> ~/.local/bin has been there by default. > > >> > > >> Unlike ~/bin, which is in PATH though not even created. > > >> > > > > > >Where in the path do the user 'bin' elements appear in the path? > > > > In /etc/skel/.bash_profile they are added to the end and I think that is ok > > > > PATH=$PATH:$HOME/.local/bin:$HOME/bin > > > > Never knew about ~/.local/bin my .bash_profile is really old from the > > time where the default was only ~/bin > > Can someone explain (or point to) the rationale appending these to PATH > rather than prepending them? I would have expected user binaries to > supersede system ones. Although there is probably only a small number of security vulnerabilities of user applications that would allow just creating and writing new files on a file system, nevertheless there can be some. The attacker could then create any binary that users usually run and get a full control of the user's account easily this way. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
Le mercredi 27 juillet 2011 à 00:01 -0400, Braden McDaniel a écrit : > Can someone explain (or point to) the rationale appending these to PATH > rather than prepending them? I would have expected user binaries to > supersede system ones. Security. You can do all kinds of mischief by overriding an (audited) system command with a user-level command (even appending is IMHO borderline dangerous till the usual infection/attack vectors, MUAs & browsers have not been taught to triple-check and flag anything going there) -- Nicolas Mailhot -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
On Tue, 2011-07-26 at 08:45 -0430, Robert Marcano wrote: > On 07/26/2011 08:36 AM, Genes MailLists wrote: > > On 07/26/2011 08:03 AM, Misha Shnurapet wrote: > >> 26.07.2011, 18:34, "Andrew Haley": > >>> On 26/07/11 10:22, Misha Shnurapet wrote: > >>> > Since F15 ~/bin has been added to PATH, and commands that are > supposed to run user scripts will work without changing into that > directory. Meanwhile, ~/.local/bin isn't used. I'd like to propose > that it is also added because technically it is ~/bin's brother. > >>> > >>> I've never heard of ~/.local/bin . Are there many people who use > >>> this? ~/bin is common. > >> > >> ~/.local/bin has been there by default. > >> > >> Unlike ~/bin, which is in PATH though not even created. > >> > > > >Where in the path do the user 'bin' elements appear in the path? > > In /etc/skel/.bash_profile they are added to the end and I think that is ok > > PATH=$PATH:$HOME/.local/bin:$HOME/bin > > Never knew about ~/.local/bin my .bash_profile is really old from the > time where the default was only ~/bin Can someone explain (or point to) the rationale appending these to PATH rather than prepending them? I would have expected user binaries to supersede system ones. -- Braden McDaniel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Adding ~/.local/bin to default PATH (was: Re: User-level instance of /bin in PATH)
On Tue, 26 Jul 2011 17:49:43 +0100 "Richard W.M. Jones" wrote: > On Tue, Jul 26, 2011 at 08:45:11AM -0430, Robert Marcano wrote: > > On 07/26/2011 08:36 AM, Genes MailLists wrote: > > > On 07/26/2011 08:03 AM, Misha Shnurapet wrote: > > >> 26.07.2011, 18:34, "Andrew Haley": > > >>> On 26/07/11 10:22, Misha Shnurapet wrote: > > >>> > > Since F15 ~/bin has been added to PATH, and commands that are > > supposed to run user scripts will work without changing into > > that directory. Meanwhile, ~/.local/bin isn't used. I'd like > > to propose that it is also added because technically it is > > ~/bin's brother. > > >>> > > >>> I've never heard of ~/.local/bin . Are there many people who > > >>> use this? ~/bin is common. > > >> > > >> ~/.local/bin has been there by default. > > >> > > >> Unlike ~/bin, which is in PATH though not even created. > > >> > > > > > >Where in the path do the user 'bin' elements appear in the > > > path? > > > > In /etc/skel/.bash_profile they are added to the end and I think > > that is ok > > > > PATH=$PATH:$HOME/.local/bin:$HOME/bin > > This was added between bash-4.2.10 -2 and -3: > > http://pkgs.fedoraproject.org/gitweb/?p=bash.git;a=commitdiff;h=02b20d810111e8b53bb98ad49fedd1d583ce62e1 > > because of https://bugzilla.redhat.com/show_bug.cgi?id=699812 > > There is some rationale in that bug, but I think it's extremely bogus. Oh it seems every useful for purposes like installing executables that most users will never find. > > Rich. > -- Bernd Stramm bernd.str...@gmail.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Adding ~/.local/bin to default PATH (was: Re: User-level instance of /bin in PATH)
On Tue, Jul 26, 2011 at 08:45:11AM -0430, Robert Marcano wrote: > On 07/26/2011 08:36 AM, Genes MailLists wrote: > > On 07/26/2011 08:03 AM, Misha Shnurapet wrote: > >> 26.07.2011, 18:34, "Andrew Haley": > >>> On 26/07/11 10:22, Misha Shnurapet wrote: > >>> > Since F15 ~/bin has been added to PATH, and commands that are > supposed to run user scripts will work without changing into that > directory. Meanwhile, ~/.local/bin isn't used. I'd like to propose > that it is also added because technically it is ~/bin's brother. > >>> > >>> I've never heard of ~/.local/bin . Are there many people who use > >>> this? ~/bin is common. > >> > >> ~/.local/bin has been there by default. > >> > >> Unlike ~/bin, which is in PATH though not even created. > >> > > > >Where in the path do the user 'bin' elements appear in the path? > > In /etc/skel/.bash_profile they are added to the end and I think that is ok > > PATH=$PATH:$HOME/.local/bin:$HOME/bin This was added between bash-4.2.10 -2 and -3: http://pkgs.fedoraproject.org/gitweb/?p=bash.git;a=commitdiff;h=02b20d810111e8b53bb98ad49fedd1d583ce62e1 because of https://bugzilla.redhat.com/show_bug.cgi?id=699812 There is some rationale in that bug, but I think it's extremely bogus. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming blog: http://rwmj.wordpress.com Fedora now supports 80 OCaml packages (the OPEN alternative to F#) http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
On 07/26/2011 09:04 AM, Emmanuel Seyman wrote: > * Genes MailLists [26/07/2011 15:32] : >> >> Mmm ok ... Can I assume root is excepted from this? > > You can. That is the case. a clean F15 install has PATH=$PATH:$HOME/bin, not the same /etc/skel/.bash_profile but still has ~/bin > > Emmanuel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
On 07/26/2011 09:34 AM, Emmanuel Seyman wrote: > * Genes MailLists [26/07/2011 15:32] : >> >> Mmm ok ... Can I assume root is excepted from this? > > You can. That is the case. > > Emmanuel > :-) -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
* Genes MailLists [26/07/2011 15:32] : > > Mmm ok ... Can I assume root is excepted from this? You can. That is the case. Emmanuel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
* Genes MailLists [26/07/2011 15:14] : > > > >> On 26/07/11 10:22, Misha Shnurapet wrote: > > > Unlike ~/bin, which is in PATH though not even created. It's the other way round on my machine. Both are in my $PATH but ~/bin exists (I may have created it by hand) and ~/.local/bin/ doesn't. > Where in the path do the user 'bin' elements appear in the path? These are defined by ~/.bash_profile which is copied from /etc/skel/.bash_profile on account creation. [manu@munshine ~]$ grep PATH /etc/skel/.bash_profile PATH=$PATH:$HOME/.local/bin:$HOME/bin export PATH Emmanuel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
On 07/26/2011 09:15 AM, Robert Marcano wrote: > In /etc/skel/.bash_profile they are added to the end and I think that is ok > > PATH=$PATH:$HOME/.local/bin:$HOME/bin > > Never knew about ~/.local/bin my .bash_profile is really old from the > time where the default was only ~/bin Mmm ok ... Can I assume root is excepted from this? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
On 07/26/2011 08:36 AM, Genes MailLists wrote: > On 07/26/2011 08:03 AM, Misha Shnurapet wrote: >> 26.07.2011, 18:34, "Andrew Haley": >>> On 26/07/11 10:22, Misha Shnurapet wrote: >>> Since F15 ~/bin has been added to PATH, and commands that are supposed to run user scripts will work without changing into that directory. Meanwhile, ~/.local/bin isn't used. I'd like to propose that it is also added because technically it is ~/bin's brother. >>> >>> I've never heard of ~/.local/bin . Are there many people who use >>> this? ~/bin is common. >> >> ~/.local/bin has been there by default. >> >> Unlike ~/bin, which is in PATH though not even created. >> > >Where in the path do the user 'bin' elements appear in the path? In /etc/skel/.bash_profile they are added to the end and I think that is ok PATH=$PATH:$HOME/.local/bin:$HOME/bin Never knew about ~/.local/bin my .bash_profile is really old from the time where the default was only ~/bin -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
On 07/26/2011 08:03 AM, Misha Shnurapet wrote: > 26.07.2011, 18:34, "Andrew Haley" : >> On 26/07/11 10:22, Misha Shnurapet wrote: >> >>> Since F15 ~/bin has been added to PATH, and commands that are >>> supposed to run user scripts will work without changing into that >>> directory. Meanwhile, ~/.local/bin isn't used. I'd like to propose >>> that it is also added because technically it is ~/bin's brother. >> >> I've never heard of ~/.local/bin . Are there many people who use >> this? ~/bin is common. > > ~/.local/bin has been there by default. > > Unlike ~/bin, which is in PATH though not even created. > Where in the path do the user 'bin' elements appear in the path? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
26.07.2011, 18:34, "Andrew Haley" : > On 26/07/11 10:22, Misha Shnurapet wrote: > >> Since F15 ~/bin has been added to PATH, and commands that are >> supposed to run user scripts will work without changing into that >> directory. Meanwhile, ~/.local/bin isn't used. I'd like to propose >> that it is also added because technically it is ~/bin's brother. > > I've never heard of ~/.local/bin . Are there many people who use > this? ~/bin is common. ~/.local/bin has been there by default. Unlike ~/bin, which is in PATH though not even created. -- Best regards, Misha Shnurapet, Fedora Project Contributor Email: shnurapet AT fedoraproject.org, IRC: misha on freenode https://fedoraproject.org/wiki/shnurapet, GPG: 00217306 -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: User-level instance of /bin in PATH
On 26/07/11 10:22, Misha Shnurapet wrote: > > Since F15 ~/bin has been added to PATH, and commands that are > supposed to run user scripts will work without changing into that > directory. Meanwhile, ~/.local/bin isn't used. I'd like to propose > that it is also added because technically it is ~/bin's brother. I've never heard of ~/.local/bin . Are there many people who use this? ~/bin is common. Andrew. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
