[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dangerous to have ~/bin first in $PATH [was Re: Odd Path issue]

Colin Watson wrote:
> 
> On Sat, Sep 28, 2002 at 03:15:42AM -0400, Andy Saxena wrote:
> > On Thu, Sep 26, 2002 at 01:55:40PM -0500, Kent West wrote:
> > > I'm using bash. "echo $PATH" reports:
> > >
> > > ~/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
> >
> > Putting ~/bin first in your $PATH is a security risk. Consider that if
> > your user account got hacked into, somebody could place a modified top,
> > ls, less executable in your ~/bin directory.
> 
> I disagree that this is a security risk. I want to override
> system-provided executables, hence ~/bin is at the start of my $PATH. If
> my user account gets hacked into, all bets are off; it's pointless to
> worry about what somebody might put in ~/bin when they could just do
> whatever it was directly, modify my .bashrc, or whatever!
> 
> I think a more sensible rule is to only put directories in $PATH that
> are at least as trusted as the relevant account. Thus, /usr/bin and so
> on are always fine, ~/bin is only fine for the owning user, and . is
> never a good idea.

Why is ./ in the path bad? If someone hacked in, couldn't they
set the path to anything they wanted?
Reply to: