ubuntu at tigershaunt.com
Tue Dec 17 19:40:46 UTC 2013
On 13-12-17 01:55 PM, Paul Smith wrote:
> No, Colin is correct. If the attacker can trick you into running
> something as your own account, hence adding content to ~/bin, then
> you've already lost. There's no point to worrying about it.
> Note how Colin points out that the attacker can modify your ~/.bashrc...
> so they can add ~/bin to your PATH themselves! Or they can set up
> aliases or shell functions to hide "sudo", "su", "ssh", etc.
> >From a "level of security" standpoint there's NO benefit (read:
> increased security) to not including ~/bin in PATH by default.
> ".", on the other hand, is a whole different story.
Allright, fair point. But to clarify, I'm not suggesting removing ~/bin
from the default PATH. However, it should be added to the end of the
path, not prepended to the system /bin /sbin.
More information about the ubuntu-users