/home/user/bin
Dennis Kaarsemaker
dennis at kaarsemaker.net
Sun Jul 17 21:07:05 UTC 2005
On zo, 2005-07-17 at 20:56 +0100, Colin Watson wrote:
> Faulty premise: sudo does reset $PATH (since Debian and Ubuntu both
> configure it --with-secure-path). Try it ...
Hmm, you are right, I got confused by this:
dennis at mirage ~ $ echo $PATH
/home/dennis/bin:/usr/local/MTsim:/usr/local/asfsdf/bin:/usr/local/rscript/bin:/usr/local/bin:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin:/usr/bin/X11:/usr/games
dennis at mirage ~ $ sudo echo $PATH
/home/dennis/bin:/usr/local/MTsim:/usr/local/asfsdf/bin:/usr/local/rscript/bin:/usr/local/bin:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin:/usr/bin/X11:/usr/games
But of course, variable expansion is done *before* sudo is called, silly
me...
> Also note that such a malware script could simply fiddle with your shell
> startup files and make 'sudo', 'su', etc. be aliases to something
> different. Including ~/bin in $PATH opens no extra vulnerabilities and
> is an enormous convenience.
Ack. I stand corrected.
--
Dennis K.
- Linux for human beings: http://www.ubuntulinux.org
- Linux voor normale mensen: http://www.ubuntulinux.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050717/f5f4bf5c/attachment.sig>
More information about the ubuntu-users
mailing list