ubuntu at tigershaunt.com
Tue Dec 17 01:09:14 UTC 2013
On 13-12-16 06:56 PM, Bob wrote:
> I am fairly new to Linux so I have been reading "A Practical Guide to Linux
> Commands, Editors and Shell Programming", In the book they say that it is a
> security issue to place the working directory and/or the home directory at the
> front of the PATH. Is this true? If it is why does Ubuntu put the home
> directory first in the PATH?
That's a very good catch. My system also has the home bin directories
at the start of my PATH, something I never even though to check!
Yes, it's true that this poses a security risk.
Imagine, for example, if someone attacking a linux based system tricked
a hapless user to running a unpriviliged script that wrote a password
spy script to /home/$USER/bin/sudo
Next time you tried to run a sudo command in a shell (maybe following a
tutorial of some kind.), as soon as you typed in your password, you
would instead be sending it to the attacker.
PS: The insecure configuration is caused by /etc/skel/.profile (on my
Raring install), which copies the .profile to all new users on
creation. This file is part of the bash package. Why would there even
be a skel/.profile?? shouldn't that be a file in /etc/profile.d or some
such?? Makes no sense to have that file in there.
More information about the ubuntu-users