On Saturday 03 June 2006 16:11, znx <[EMAIL PROTECTED]> wrote about 'Re: [gentoo-user] bash wizardry needed: PATH and MANPATH grow and grow and grow': > On 27/05/06, Kevin O'Gorman <[EMAIL PROTECTED]> wrote: > > Open to debate. I'd think it's not very dangerous at the *end* of > > the PATH. > > True, I have modified the script so that a . may enter the PATH (etc) > only as the final entry. Also good point about ~/bin .. it is just as > dangerous.
Actually, it's not as dangerous. ~/bin is a well-known location that is (normally) only writable by the user themselves. '.' is a floating location, that may (from time to time) refer to a directory that is world-writable like /tmp, /var/tmp, or /dev/shm. Having '.' in your path allows arbitrary guest users to run programs with your permissions. Putting it at the end of your PATH prevents them from shadowing existing commands, but doesn't prevent them from taking advantage of typos. Having ~/bin or even just ~ in your PATH does not open this security hole unless you also make that directory world writable. -- "If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability." -- Gentoo Developer Ciaran McCreesh
pgpBjHVSOnTtd.pgp
Description: PGP signature
