Hi, I'm no infosec expert, but... On 06/12/2018 07:31 PM, Miro Hrončok wrote: > > On 12.6.2018 19:20, Howard Howell wrote: >> I haven't followed all of this thread, too self busy. However there is >> a security argument. If you have a local executable directory, then >> the capability for malicious software to attach is wide open for that >> user, whatever their privelege level might be. > > Executable directory? If you have power over user $HOME, you can change > user's $PATH. Is it so easy, though? I've seen many examples with .bashrc, but .bashrc only does it for bash (and only in interactive mode, IIRC). One has to do it for something like .xsessionrc -- frankly I'm not sure if there is such file that applies. OTOH, by adding .local/bin, the attacker does not have to care where (or how) to set the path, they really only need to drop new file. I guess my point is that it won't make attacks possible (they already are), but it might be making them easier. Thanks, aL. -- Alois Mahdal <amahdal@xxxxxxxxxx> Platform QE Engineer at Red Hat, Inc. #brno, #daemons, #preupgrade _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/JOKH54HGNPJQJYANZKWXKYUF2VBOLQJJ/
