I'm no infosec expert, but...

On 06/12/2018 07:31 PM, Miro Hrončok wrote:
> On 12.6.2018 19:20, Howard Howell wrote:
>> I haven't followed all of this thread, too self busy.  However there is
>> a security argument.  If you have a local executable directory, then
>> the capability for malicious software to attach is wide open for that
>> user, whatever their privelege level might be.
> Executable directory? If you have power over user $HOME, you can change
> user's $PATH.

Is it so easy, though?

I've seen many examples with .bashrc, but .bashrc only does it for bash
(and only in interactive mode, IIRC).  One has to do it for something
like .xsessionrc -- frankly I'm not sure if there is such file that applies.

OTOH, by adding .local/bin, the attacker does not have to care where (or
how) to set the path, they really only need to drop new file.

I guess my point is that it won't make attacks possible (they already
are), but it might be making them easier.


Alois Mahdal <amah...@redhat.com>
Platform QE Engineer at Red Hat, Inc.
#brno, #daemons, #preupgrade
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 

Reply via email to