Greg Wooledge writes:
> On Mon, Jun 19, 2017 at 06:00:58PM +0200, Nicolas George wrote:
>> Le primidi 1er messidor, an CCXXV, Henrique de Moraes Holschuh a écrit :
>> > That said, no, it is not usually considered a security vulnerability,
>> > because NOT using the full path to run commands such
On Mon, 19 Jun 2017, The Wanderer wrote:
> On 2017-06-19 at 11:59, Henrique de Moraes Holschuh wrote:
> > On Mon, 19 Jun 2017, Greg Wooledge wrote:
> >> You appear to be claiming that putting ~/bin in PATH is somehow
> >> inherently unsafe. I don't agree. Under what conditions would
> >> this
Le primidi 1er messidor, an CCXXV, Greg Wooledge a écrit :
> Henrique, I believe, was describing an attack that works like this:
>
> 2) PATH=~/bin:$PATH
> 3) vi ~/bin/su (insert malicious code); chmod 755 ~/bin/su
> 4) Call the system administrator, and get him/her to come to your desk.
I do
On 2017-06-19 at 11:59, Henrique de Moraes Holschuh wrote:
> On Mon, 19 Jun 2017, Greg Wooledge wrote:
>
>> You appear to be claiming that putting ~/bin in PATH is somehow
>> inherently unsafe. I don't agree. Under what conditions would
>> this result in any kind of privilege escalation?
>
>
On Mon, Jun 19, 2017 at 06:00:58PM +0200, Nicolas George wrote:
> Le primidi 1er messidor, an CCXXV, Henrique de Moraes Holschuh a écrit :
> > That said, no, it is not usually considered a security vulnerability,
> > because NOT using the full path to run commands such as "su" and "sudo"
> > in
Le primidi 1er messidor, an CCXXV, Henrique de Moraes Holschuh a écrit :
> That said, no, it is not usually considered a security vulnerability,
> because NOT using the full path to run commands such as "su" and "sudo"
> in the first place IS considered gross negligence.
If your account has been
On Mon, 19 Jun 2017, Greg Wooledge wrote:
> You appear to be claiming that putting ~/bin in PATH is somehow inherently
> unsafe. I don't agree. Under what conditions would this result in any
> kind of privilege escalation?
The OP was complaining that ~/bin was being *prepended* to PATH, instead
On Sun, Jun 18, 2017 at 06:56:07AM +0200, David Bunch wrote:
> I'm not sure where or how or even if i should submit a bug small security
> vulnerability in the default .profile that is created in each users home
> directory.
That file comes from /etc/skel/.profile which is in the package...
On Sun 18 Jun 2017 at 07:55:32 (-0400), RavenLX wrote:
> On 06/18/2017 12:56 AM, David Bunch wrote:
> >Hi,
> >
> >I'm not sure where or how or even if i should submit a bug small security
> >vulnerability in the default .profile that is created in each users home
> >directory.
> >
> >.profile
On 06/18/2017 05:05 AM, Nicolas George wrote:
Le decadi 30 prairial, an CCXXV, David Bunch a écrit :
This could be a potential security vulnerability because if the user account
of a uesr with 'su' power, an attacker could place a malicious 'su', 'ls',
and 'which' in their ~/bin directory which
On 06/18/2017 12:56 AM, David Bunch wrote:
Hi,
I'm not sure where or how or even if i should submit a bug small security
vulnerability in the default .profile that is created in each users home
directory.
.profile searches for a ~/bin directory and if it finds it prepends it to
PATH like so:
Le decadi 30 prairial, an CCXXV, David Bunch a écrit :
> This could be a potential security vulnerability because if the user account
> of a uesr with 'su' power, an attacker could place a malicious 'su', 'ls',
> and 'which' in their ~/bin directory which could give an attacker the root
>
Hi,
I'm not sure where or how or even if i should submit a bug small security
vulnerability in the default .profile that is created in each users home
directory.
.profile searches for a ~/bin directory and if it finds it prepends it to
PATH like so: PATH='$HOME/bin':$PATH
This could be a
13 matches
Mail list logo
