severity 606369 wishlist
retitle 606369 skel/.profile: put $HOME/bin at end of $PATH
quit
Justin B Rye wrote:
> If as an innocent newcomer to GNU/Linux I sort a set of downloaded
> scripts into one directory called "keep" and another called "bin",
> that doesn't necessarily mean I intend the second set to receive a
> privileged position on my $PATH - on the contrary, it may mean I
> think they look suspicious and intend to throw them away.
Sounds like a good reason to remove the special handling of ~/bin from
the default skel/.profile altogether. If you are interested in that,
please file a new bug (for example by cloning this one).
I do not find it a good reason to keep ~/bin at the end of $PATH. The
suspicious user can be tricked into saving a malicious script named
"sl" to ~/bin. The next time she transposes the letters of "ls" on
the command line, trouble.
Similar is the possibility of programs in ~/bin being run by scripts.
The following is not such an unusual pattern:
for browser in mozilla netscape lynx
do
if type $browser >/dev/null 2>&1
then
$browser $url
return
fi
done
echo >&2 "could not find web browser"
exit 1
A malicious script named 'netscape' in ~/bin could be run by such a
non-Debian app with no typos involved. Likewise for many other
utilities that may not already be available on the $PATH.
> Malice isn't the only thing we need security against; the reason I
> keep ~/bin at the *end* of my $PATH is for protection against my own
> foolish mistakes.
Makes sense.
I think you will find people wanting both variants, so I am happy
this is a user-editable file. :)
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
