On Fri, Nov 1, 2013 at 7:12 PM, Andrew Haley <aph@xxxxxxxxxx> wrote:
> On 11/01/2013 09:38 AM, drago01 wrote:
>> The attacker needs to be able to write to your home directory to
>> take advantage of it. And if he can do that (you lost) he has
>> numerous other ways of doing it.
>
> That is true. However, there is an advantage to this one for the
> attacker: the user probably doesn't know it's there.
I don't think this in practice matters _for security_[1]: Even the
users that know ~/bin exists are extremely unlikely to be regularly
checking its contents to see whether a malicious file hasn't been
added.
> It's a matter of the attack surface: the 'sum of the different points
> (the "attack vectors") where an unauthorized user (the "attacker") can
> try to enter.' [Wikipedia]
In all of the scenarios we've been talking about, the attack has
already _succeeded_; there is no longer any relevant attack surface
left.[2]
Mirek
[1] It might matter for troubleshooting.
[2] Possible privilege escalations attacks to get root's or other
user's permissions are irrelevant to our discussion.
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
