I'm no infosec expert, but...
On 06/12/2018 07:31 PM, Miro Hrončok wrote:
> On 12.6.2018 19:20, Howard Howell wrote:
>> I haven't followed all of this thread, too self busy. However there is
>> a security argument. If you have a local executable directory, then
>> the capability for malicious software to attach is wide open for that
>> user, whatever their privelege level might be.
> Executable directory? If you have power over user $HOME, you can change
> user's $PATH.
Is it so easy, though?
I've seen many examples with .bashrc, but .bashrc only does it for bash
(and only in interactive mode, IIRC). One has to do it for something
like .xsessionrc -- frankly I'm not sure if there is such file that applies.
OTOH, by adding .local/bin, the attacker does not have to care where (or
how) to set the path, they really only need to drop new file.
I guess my point is that it won't make attacks possible (they already
are), but it might be making them easier.
Alois Mahdal <amah...@redhat.com>
Platform QE Engineer at Red Hat, Inc.
#brno, #daemons, #preupgrade
devel mailing list -- email@example.com
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines