/home/user/bin
Robbo
ml at the-view.eclipse.co.uk
Sun Jul 17 20:31:44 UTC 2005
On Sun, 2005-07-17 at 21:23 +0200, Dennis Kaarsemaker wrote:
> On zo, 2005-07-17 at 19:49 +0100, Colin Watson wrote:
> > No. Mendel is absolutely correct when talking about the current
> > directory, but there are no such concerns about an explicit directory
> > such as ~/bin provided that no users other than you and root can write
> > there.
>
> Theoretical situation:
> 1) You download an infected/malevolent program from the net. This
> program places a malware script called vim in ~/bin.
> 2) You run sudo vim to edit a config file.
> 3) Since sudo resets neither $HOME nor $PATH, the malware script will
> be run, if it simply executes /usr/bin/vim $@ as last bit, you will
> not even notice that you ran something else.
>
If you ran a malware script, if it could change your bash profile script
it could change the path / aliases to run a modified sudo. You get the
point.
More information about the ubuntu-users
mailing list