[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why debian put ~/bin beginning of $PATH

>>>>> "慕冬" == 慕 冬亮 <mudongliangabcd@hotmail.com> writes:

慕冬> User's command is usually stored in "/usr/local/bin". It should
慕冬> be placed before "/bin" in the $PATH.

/usr/local is a directory hierarchy for binaries typical of the local
installation and being, by default, owned by root, it is not a
directory for user commands.

Having ~/bin before /bin and /usr/bin (and /usr/local/bin) is of no
harm at all if your account is safe enough.

If and only if someone can log on with your account, she can put a
malicious copy/wrapper of a system command (ls to name one) in your
bin and you could trigger it thinking to use the system version.

What *is* dangerous is having . before system directories, especially
on multi-user machines.

In this scenario, user A, who has . in the path before /bin, goes in a
directory of user B and does an 'ls'.

That directory contains an executable called ls that is smart enough
to hide itself. But bastard enough to do something nasty, a Trojan
horse. And user A just brought it within the walls...

-- 
 /\           ___                                    Ubuntu: ancient
/___/\_|_|\_|__|___Gian Uberto Lauri_____               African word
  //--\| | \|  |   Integralista GNUslamico            meaning "I can
\/                 coltivatore diretto di software       not install
     già sistemista a tempo (altrui) perso...                Debian"

Warning: gnome-config-daemon considered more dangerous than GOTO
Reply to: