On Sat, Nov 2, 2013 at 5:22 AM, drago01 <drago01@xxxxxxxxx> wrote: > On Fri, Nov 1, 2013 at 11:54 PM, Christopher <ctubbsii@xxxxxxxxxx> wrote: >> On Fri, Nov 1, 2013 at 5:38 AM, drago01 <drago01@xxxxxxxxx> wrote: >>> On Fri, Nov 1, 2013 at 10:26 AM, Andrew Haley <aph@xxxxxxxxxx> wrote: >>>> On 10/30/2013 10:27 AM, Alec Leamas wrote: >>>>> On 2013-10-30 11:23, Reindl Harald wrote: >>>>>> Am 30.10.2013 11:20, schrieb Alec Leamas: >>>>>>> On 2013-10-30 10:58, Reindl Harald wrote: >>>>>>>> Am 30.10.2013 10:53, schrieb Alec Leamas: >>>>>>>>> Some kind of reference for the bad in having a well-known, hidden directory in the path? >>>>>>>> the *writeable for the user* is the problem >>>>>>> Any reference for this problem? >>>>>> what about consider the implications? >>>>>> do you really need a written reference for any security relevant fact? >>>>>> i can write one for you if you prefer links :-) >>>>>> >>>>> Well, the question is really if someone else out there share your >>>>> concerns about this. >>>> >>>> Why does it matter? A hidden directory in everyone's path is obviously >>>> useful to an attacker, and (IMO) more useful to an attacker than to a user. >>> >>> The attacker needs to be able to write to your home directory to take >>> advantage of it. >>> And if he can do that (you lost) he has numerous other ways of doing it. >> >> You seem to be saying that attackers don't make decisions based on the >> probability of getting caught, or based on the level of visibility >> their actions might incur. There's a reason why muggers tend to mug at >> night, thieves are more likely to sneak in an unlocked door than break >> a window, and malware renames files to look innocuous: the less >> visible, the more effective they are able to not get caught and >> continue to exploit. >> >> Now, we could argue that ~/.local/bin is *just as* visible as ~/bin, >> because they are both on the PATH, > > Sorry but I still don't by the visible argument. Do you really do > check what is inside ~/bin > before running every command? Even if you do that I do not need a > survey to claim that a > majority of user simply do not do that. I do, actually... because I put stuff there, so I inspect its contents periodically when I do. However, my claim above is not about me. I did not claim that a majority of users behave like me. What I said was, that you could probably measure, by survey, whether or not the two directories on the path were equally visible to users. I can say that the two are not equally visible *to me*, but I'm not going to claim that they are equally visible to the average user, or even the average security-conscious user. I *suspect* they aren't equally visible to certain significant subsets of users, but since it is probably measurable, I'm suggesting a means to find it out instead of speculating based on my own behavior. -- Christopher L Tubbs II http://gravatar.com/ctubbsii -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
