Am 01.11.2013 10:38, schrieb drago01: > On Fri, Nov 1, 2013 at 10:26 AM, Andrew Haley <aph@xxxxxxxxxx> wrote: >> On 10/30/2013 10:27 AM, Alec Leamas wrote: >>> On 2013-10-30 11:23, Reindl Harald wrote: >>>> Am 30.10.2013 11:20, schrieb Alec Leamas: >>>>> On 2013-10-30 10:58, Reindl Harald wrote: >>>>>> Am 30.10.2013 10:53, schrieb Alec Leamas: >>>>>>> Some kind of reference for the bad in having a well-known, hidden directory in the path? >>>>>> the *writeable for the user* is the problem >>>>> Any reference for this problem? >>>> what about consider the implications? >>>> do you really need a written reference for any security relevant fact? >>>> i can write one for you if you prefer links :-) >>>> >>> Well, the question is really if someone else out there share your >>> concerns about this. >> >> Why does it matter? A hidden directory in everyone's path is obviously >> useful to an attacker, and (IMO) more useful to an attacker than to a user. > > The attacker needs to be able to write to your home directory to take > advantage of it. > And if he can do that (you lost) he has numerous other ways of doing it so the people decided not put the current directory in the PATH on Unix *for security reasons* decades ago must be fools and if you would have been born as this happened you would have told them "forget it, in that case you are lost" heroic attitude :-) *yes* you have lost and in doubt in this situation the interesting thing is how large the impact becomes
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
