Security question

[Paul Smith]

On Tue, 2013-12-17 at 13:41 -0500, Rashkae wrote:
> On 13-12-17 01:21 PM, Colin Watson wrote:
> > On Mon, Dec 16, 2013 at 08:09:14PM -0500, Rashkae wrote:
> >> On 13-12-16 06:56 PM, Bob wrote:
> >>> I am fairly new to Linux so I have been reading "A Practical Guide to Linux
> >>> Commands, Editors and Shell Programming",  In the book they say that it is a
> >>> security issue to place the working directory and/or the home directory at the
> >>> front of the PATH.  Is this true?  If it is why does Ubuntu put the home
> >>> directory first in the PATH?
> >> That's a very good catch.  My system also has the home bin
> >> directories at the start of my PATH, something I never even though
> >> to check!
> >>
> >> Yes, it's true that this poses a security risk.
> > No, it really doesn't.  That directory is only writable by your user, so
> > anyone who can write to that directory can also control your user in
> > myriad other ways; for example they could use the exact same access to
> > modify ~/.bashrc.  If they have this access, they're already inside the
> > security boundary you're trying to defend.
> >
> 
> I already explained the attack method in the e-mail, which you 
> convenient cut out in you're reply, rather than address it. I agree it's 
> not something worth panicking over, but it's a very sloppy default 
> configuration for a distro.

No, Colin is correct.  If the attacker can trick you into running
something as your own account, hence adding content to ~/bin, then
you've already lost.  There's no point to worrying about it.

Note how Colin points out that the attacker can modify your ~/.bashrc...
so they can add ~/bin to your PATH themselves!  Or they can set up
aliases or shell functions to hide "sudo", "su", "ssh", etc.

>From a "level of security" standpoint there's NO benefit (read:
increased security) to not including ~/bin in PATH by default.

".", on the other hand, is a whole different story.