paul at mad-scientist.net
Tue Dec 17 18:55:04 UTC 2013
On Tue, 2013-12-17 at 13:41 -0500, Rashkae wrote:
> On 13-12-17 01:21 PM, Colin Watson wrote:
> > On Mon, Dec 16, 2013 at 08:09:14PM -0500, Rashkae wrote:
> >> On 13-12-16 06:56 PM, Bob wrote:
> >>> I am fairly new to Linux so I have been reading "A Practical Guide to Linux
> >>> Commands, Editors and Shell Programming", In the book they say that it is a
> >>> security issue to place the working directory and/or the home directory at the
> >>> front of the PATH. Is this true? If it is why does Ubuntu put the home
> >>> directory first in the PATH?
> >> That's a very good catch. My system also has the home bin
> >> directories at the start of my PATH, something I never even though
> >> to check!
> >> Yes, it's true that this poses a security risk.
> > No, it really doesn't. That directory is only writable by your user, so
> > anyone who can write to that directory can also control your user in
> > myriad other ways; for example they could use the exact same access to
> > modify ~/.bashrc. If they have this access, they're already inside the
> > security boundary you're trying to defend.
> I already explained the attack method in the e-mail, which you
> convenient cut out in you're reply, rather than address it. I agree it's
> not something worth panicking over, but it's a very sloppy default
> configuration for a distro.
No, Colin is correct. If the attacker can trick you into running
something as your own account, hence adding content to ~/bin, then
you've already lost. There's no point to worrying about it.
Note how Colin points out that the attacker can modify your ~/.bashrc...
so they can add ~/bin to your PATH themselves! Or they can set up
aliases or shell functions to hide "sudo", "su", "ssh", etc.
>From a "level of security" standpoint there's NO benefit (read:
increased security) to not including ~/bin in PATH by default.
".", on the other hand, is a whole different story.
More information about the ubuntu-users