On Wed, May 2, 2018 at 6:44 AM Miro Hrončok <mhroncok@xxxxxxxxxx> wrote:
On 2.5.2018 15:30, Stephen Gallagher wrote:
> Does anyone see a reason not to prioritize ~/.local/bin over /usr/bin?
>
>
> Yes, if a user's account is compromised (or any service running as
> them), it's REALLY easy to drop faked tools into a user-private
> directory and override critical system tools (like replacing 'bash' with
> a keylogger).
If user's account is compromised, user's PATH can be changed. IMHO the
provided argument is not valid.
There are a lot of ways where their account can be compromised without having complete session access. If they're running a web-connected application as their user, that application could be compromised to write a file to disk. If that file can now supersede the system copy, they have now escalated the degree of the compromise.
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
