[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dangerous to have ~/bin first in $PATH [was Re: Odd Path issue]

On Sat, Sep 28, 2002 at 03:15:42AM -0400, Andy Saxena wrote:
> On Thu, Sep 26, 2002 at 01:55:40PM -0500, Kent West wrote:
> > I'm using bash. "echo $PATH" reports:
> > 
> > ~/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
> 
> Putting ~/bin first in your $PATH is a security risk. Consider that if
> your user account got hacked into, somebody could place a modified top,
> ls, less executable in your ~/bin directory.

I disagree that this is a security risk. I want to override
system-provided executables, hence ~/bin is at the start of my $PATH. If
my user account gets hacked into, all bets are off; it's pointless to
worry about what somebody might put in ~/bin when they could just do
whatever it was directly, modify my .bashrc, or whatever!

I think a more sensible rule is to only put directories in $PATH that
are at least as trusted as the relevant account. Thus, /usr/bin and so
on are always fine, ~/bin is only fine for the owning user, and . is
never a good idea.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
Reply to: