Am 01.11.2013 11:08, schrieb Petr Viktorin: > On 11/01/2013 10:48 AM, Reindl Harald wrote: >> Am 01.11.2013 10:38, schrieb drago01: >>> On Fri, Nov 1, 2013 at 10:26 AM, Andrew Haley <aph@xxxxxxxxxx> wrote: >>>> On 10/30/2013 10:27 AM, Alec Leamas wrote: >>>>> On 2013-10-30 11:23, Reindl Harald wrote: >>>>>> Am 30.10.2013 11:20, schrieb Alec Leamas: >>>>>>> On 2013-10-30 10:58, Reindl Harald wrote: >>>>>>>> Am 30.10.2013 10:53, schrieb Alec Leamas: >>>>>>>>> Some kind of reference for the bad in having a well-known, hidden directory in the path? >>>>>>>> the *writeable for the user* is the problem >>>>>>> Any reference for this problem? >>>>>> what about consider the implications? >>>>>> do you really need a written reference for any security relevant fact? >>>>>> i can write one for you if you prefer links :-) >>>>>> >>>>> Well, the question is really if someone else out there share your >>>>> concerns about this. >>>> >>>> Why does it matter? A hidden directory in everyone's path is obviously >>>> useful to an attacker, and (IMO) more useful to an attacker than to a user. >>> >>> The attacker needs to be able to write to your home directory to take >>> advantage of it. >>> And if he can do that (you lost) he has numerous other ways of doing it >> >> so the people decided not put the current directory in the >> PATH on Unix *for security reasons* decades ago must be >> fools and if you would have been born as this happened you >> would have told them "forget it, in that case you are lost" > > Was that even for security reasons? yes, Google may help here > Anyway, how this is relevant to this discussion? How does a static, well-known (maybe not to you so far) bin > directory compare to the danger of . PATH and, say, a rootkit in /tmp/cp? the rootkit in /tmp/cp is in your path? >> heroic attitude :-) >> >> *yes* you have lost and in doubt in this situation the >> interesting thing is how large the impact becomes > > Users of a multi-user system get to customize their system without having to bother a sysadmin, and without seeing > technical details of that's accompished mixed with their ~/Photos and ~/Documents. on multi-user systems it is *intentional* that the user does *not* install software at it's own and if this should be the case the admin *one time* will add a directory to PATH and say "there you go" > What impact did *you* have in mind? the *security* impact after "you have lost" happened
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
