On ons, 2011-07-27 at 21:59 +0200, Marc-André Lureau wrote: > > I don't understand the security risks. If something is allowed to > write to ~/.local/bin (or ~/bin etc..), then surely it's able to read > elsewhere or do something else nasty. Could someone detail it? Also, consider that the attacker would need to be able to set the mode of the file to executable, which is not required for .bash*. Since it's at the end of PATH, they would have to install a binary that doesn't exist in /usr/bin already and then trick the user to run it at some later point. Too complicated when there are so many much easier attack points in the home directory. Oh, and why should .bashrc be hidden? Some attacker might hide code there! (See where I'm getting here?) The security argument is _bogus_ and splitting hairs in any case. Btw, if it's wrong to promote ~/.local/bin, then why should ~/bin be there by default? /Alexander -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
