Security question

[Rashkae]

On 13-12-16 06:56 PM, Bob wrote:
> I am fairly new to Linux so I have been reading "A Practical Guide to Linux
> Commands, Editors and Shell Programming",  In the book they say that it is a
> security issue to place the working directory and/or the home directory at the
> front of the PATH.  Is this true?  If it is why does Ubuntu put the home
> directory first in the PATH?
>


That's a very good catch.  My system also has the home bin directories 
at the start of my PATH, something I never even though to check!

Yes, it's true that this poses a security risk.

Imagine, for example, if someone attacking a linux based system tricked 
a hapless user to running a unpriviliged script that wrote a password 
spy script to /home/$USER/bin/sudo

Next time you tried to run a sudo command in a shell (maybe following a 
tutorial of some kind.), as soon as you typed in your password, you 
would instead be sending it to the attacker.

PS: The insecure configuration is caused by /etc/skel/.profile (on my 
Raring install), which copies the .profile to all new users on 
creation.   This file is part of the bash package.  Why would there even 
be a skel/.profile?? shouldn't that be a file in /etc/profile.d or some 
such?? Makes no sense to have that file in there.