Ron Johnson wrote:
On Sun, 2005-01-23 at 23:43 -0500, Travis Crump wrote:Ron Johnson wrote:On Sun, 2005-01-23 at 20:59 -0500, Scotty Fitzgerald wrote:I know, this has to be a really dumb question. I must be missing something really simple on this one. I want to point out that googled up and down but must be asking google the wrong thing.[snip]I type "a.out" into bash and I get "command not found"Is there something I have to do to tell bash that this executable is an executable, or did I leave out a step?Why, I bet you're asking yourself, doesn't bash first look in . when you want to execute a script? Security. Let's say someone hacks into your account, and puts ina program named "ls" that is really a shell script that does "rm -rf ~". You see the problem...This is why putting . and ~/bin in your PATH are very bad ideas.I understand . since . could potentially be an insecure directory like /tmp, but what is wrong with ~/bin? If an attacker is able to place a binary in ~/bin doesn't he already have the permissions to do "rm -rf ~" himself?. is all that is necessary for an immediate attack. For sabotage, though, ~/bin would be better suited.
But if the saboteur can put something in ~/bin couldn't he at the same time edit ~/.bashrc et al and add ~/bin to the user's path himself?
Genuinely curious. Travis
Attachment:
signature.asc
Description: OpenPGP digital signature