On 06/15/2018 11:24 AM, Till Maas wrote: > ...] > >> What I'm trying to say is that with these kinds of attack (like viruses, >> or exploits on massively accessed page), there is inevitably going to be >> some sort of economic decision on side of author affecting how "smart" >> they want the code to be. >> >> Thus, every little step you're making towards "easier" translates to >> dumber exploits being able to succeed. Suddenly not just those that did >> 2 things but also those that did 1 thing. > > So the assumption is to have a super sophisticated browser exploit for > which an attacker most likely spent several days to find it and then the > PATH setting will make it so much harder that the exploit will not > succeed? There are a lot more real challenges that attackers have to face. The attacker could have looked up the exploit on the web. I think you keep putting some kind of base standard on the hypothetical attacker and then your argument is "if they can do X then they can do Y". Because we're both SW engineers, the relation between X and Y is obvious to us, so yeah, anybody who would do X would totally obviously also do Y. Sure, we've been there so many times we don't even think about it. OTOH, I don't think that's the best way to think about security. There are no standards. The amount of code (dedicated to Linux) could totally be just that single line, writing the payload to .local/bin. By including the path in default $PATH, you are allowing also the on-bit-dumber attack to succeed (... now with all Fedora users, yay!...) >> My point is that security is not a black & white concept. >> >> It's a float, not a bool. And I'm not arguing about the amount, but >> merely against the black & white thinking. With all respect, to me it >> sounds kinda like saying "why wash my hands when diseases can spread >> through air". > > The initial theory in this thread was that it is a significant security > risk. And all the arguments for this are either "it's obvious" or are > based on arbitrarily constructed scenarios. If you are saying it just > makes a minor impact, then we do not need to discuss further because > this is good enough for me. I'm saying there is some impact. I'm not aware of any meaningful way to measure it, but I don't think it's necessary: IMHO even making a "minor" impact is already bad idea. Especially if I don't really see any convincing reason why this should be done. The "bug" with /usr/bin/pip should IMO be fixed with /usr/bin/pip--IIUC it's this bin that starts to conflate system libs with stuff under $HOME (My guess is you could have this kind of breakage even in a way unrelated to $PATH.) Thanks, aL. -- Alois Mahdal <amahdal@xxxxxxxxxx> Platform QE Engineer at Red Hat, Inc. #brno, #daemons, #preupgrade _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/QSYC4DFUAV7MIOAXXDHWBYIF2C6FF7KT/