Nico Kadel-Garcia wrote: > On Fri, Jun 15, 2018 at 12:55 PM, Till Maas <opensource@xxxxxxxxx> wrote: > > So the assumption is to have a super sophisticated browser exploit for which > > an attacker most likely spent several days to find it and then the PATH > > setting will make it so much harder that the exploit will not succeed? There > > are a lot more real challenges that attackers have to face. > > No "browser" sophistication is necessary. The replacement of default > system utilities by anyone who write into that private but > semi-concealed $HOME/.local/bin/ And how did the attacker acquire write access to $HOME/.local/bin/ in the first place? Do you know of a way to do that so easily that appending a line to one of the shell startup files seems sophisticated in comparison? I don't much like the proposed change to PATH, but I'm getting *really* sick of all the security by handwaving that's going on in this thread. Could everybody please discuss *relevant* attack scenarios, instead of scenarios that begin with the attacker already having so much access that the value of PATH doesn't matter? Björn Persson
Attachment:
pgpIwZenBCE_N.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/RONATBV5Z2E2AUGKQ4BFJIETMIKZZ6M3/
