Am 30.10.2013 11:27, schrieb Alec Leamas: > On 2013-10-30 11:23, Reindl Harald wrote: >> Am 30.10.2013 11:20, schrieb Alec Leamas: >>> On 2013-10-30 10:58, Reindl Harald wrote: >>>> Am 30.10.2013 10:53, schrieb Alec Leamas: >>>>> On 2013-10-30 10:23, Reindl Harald wrote: >>>>>> Am 30.10.2013 02:03, schrieb Chris Adams: >>>>>>> Once upon a time, Reindl Harald <h.reindl@xxxxxxxxxxxxx> said: >>>>>>>> [root@srv-rhsoft:~]$ mkdir test >>>>>>>> i could rm -rf ~/ here >>>>>>>> >>>>>>>> [root@srv-rhsoft:~]$ cat /usr/local/bin/mkdir >>>>>>>> #!/bin/bash >>>>>>>> echo "i could rm -rf ~/ here" >>>>>>> If I can write to files you own, it doesn't matter if there's a >>>>>>> directory in the PATH or not. I can write this to your .bash_profile: >>>>>>> >>>>>>> /bin/mkdir $HOME/.bin 2> /dev/null >>>>>>> echo 'echo "i could rm -rf ~/ here"' > $HOME/.bin/mkdir >>>>>>> chmod +x $HOME/.bin/mkdir >>>>>>> PATH=$HOME/.bin:$PATH >>>>>> you can do this and that - but that's no valid argumentation >>>>>> doing bad things in default setups and *at least* do not >>>>>> place *hidden* diretories there, ther is a good reason why >>>>>> software like rkhunter alerts if you have hidden directories >>>>>> somewhere in /usr/bin/ >>>>>> >>>>> Some kind of reference for the bad in having a well-known, hidden directory in the path? >>>> the *writeable for the user* is the problem >>> Any reference for this problem? >> what about consider the implications? >> do you really need a written reference for any security relevant fact? >> i can write one for you if you prefer links :-) >> > Well, the question is really if someone else out there share your concerns about this anybody with interests in security https://www.google.at/search?q=ssh+chroot+why+needs+the+home+directory+to+be+owned+by+root http://binblog.info/2008/04/06/openssh-chrooted-sftp-eg-for-webhosting/ However, the chroot destination must not be owned by the user for security reasons
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
