cjwatson at ubuntu.com
Sun Jul 17 19:56:10 UTC 2005
On Sun, Jul 17, 2005 at 09:23:04PM +0200, Dennis Kaarsemaker wrote:
> On zo, 2005-07-17 at 19:49 +0100, Colin Watson wrote:
> > No. Mendel is absolutely correct when talking about the current
> > directory, but there are no such concerns about an explicit directory
> > such as ~/bin provided that no users other than you and root can write
> > there.
> Theoretical situation:
> 1) You download an infected/malevolent program from the net. This
> program places a malware script called vim in ~/bin.
> 2) You run sudo vim to edit a config file.
> 3) Since sudo resets neither $HOME nor $PATH, the malware script will
> be run, if it simply executes /usr/bin/vim $@ as last bit, you will
> not even notice that you ran something else.
Faulty premise: sudo does reset $PATH (since Debian and Ubuntu both
configure it --with-secure-path). Try it ...
cjwatson at cittagazze:~ $ type total
total is /home/cjwatson/bin/total
cjwatson at cittagazze:~ $ echo 1 2 3 | total
cjwatson at cittagazze:~ $ echo 1 2 3 | sudo total
sudo: total: command not found
Also note that such a malware script could simply fiddle with your shell
startup files and make 'sudo', 'su', etc. be aliases to something
different. Including ~/bin in $PATH opens no extra vulnerabilities and
is an enormous convenience.
Colin Watson [cjwatson at ubuntu.com]
More information about the ubuntu-users