Re: Why debian put ~/bin beginning of $PATH

[Vincent Lefevre]

On 2017-08-09 03:11:48 +0800, spp mg wrote:
> In the ~/.profile has below default setting:
> 
> --
> # set PATH so it includes user's private bin if it exists
> if [ -d "$HOME/bin" ] ; then
> PATH="$HOME/bin:$PATH"
> fi
> --
> 
> Why put ~/bin beginning ? Is that dangerous ?

No, it's the opposite that is potentially dangerous. For instance,
you install some executable foo in your ~/bin, so that you can run
just "foo". Then, imagine that after some system upgrade or package
installation, a new executable "foo" gets installed somewhere in
the system path. So, when you run "foo", it will no longer be your
executable, but the system one, and if this executable is destructive,
you may lose data...

It is "." that must never be put in front of the path. Putting it
at the end might be OK, but this is not even recommended, due to
the above issue and also because you may run a wrong executable by
mistake.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: Why debian put ~/bin beginning of $PATH

[Byung-Hee HWANG (황병희, 黃炳熙)]

> Why put ~/bin beginning ?

2 weeks ago, i installed new Ruby. At that time it was proper to me. By
the Debian rule, users can test new program. Yes i think in positive. 

Sincerely,

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: Why debian put ~/bin beginning of $PATH

[David Wright]

On Wed 09 Aug 2017 at 18:04:56 (+0200), Gian Uberto Lauri wrote:

> Having ~/bin before /bin and /usr/bin (and /usr/local/bin) is of no
> harm at all if your account is safe enough.
> 
> If and only if someone can log on with your account, she can put a
> malicious copy/wrapper of a system command (ls to name one) in your
> bin and you could trigger it thinking to use the system version.
> 
> What *is* dangerous is having . before system directories, especially
> on multi-user machines.
> 
> In this scenario, user A, who has . in the path before /bin, goes in a
> directory of user B and does an 'ls'.
> 
> That directory contains an executable called ls that is smart enough
> to hide itself. But bastard enough to do something nasty, a Trojan
> horse. And user A just brought it within the walls...

While putting . _anywhere_ in PATH would be stupid, there is a more
insidious trap for the unaware, namely mistaking : for a delimiter
instead of a separator.

An extra colon (anywhere) will yield a null entry.

A null entry in PATH is treated as the current directory.

Examples:   foo:bar:   foo::bar   :foo:bar   and obviously   :foo:bar:

Cheers,
David.

Re: Why debian put ~/bin beginning of $PATH

[Gian Uberto Lauri]

> "慕冬" == 慕 冬亮  writes:

慕冬> User's command is usually stored in "/usr/local/bin". It should
慕冬> be placed before "/bin" in the $PATH.

/usr/local is a directory hierarchy for binaries typical of the local
installation and being, by default, owned by root, it is not a
directory for user commands.

Having ~/bin before /bin and /usr/bin (and /usr/local/bin) is of no
harm at all if your account is safe enough.

If and only if someone can log on with your account, she can put a
malicious copy/wrapper of a system command (ls to name one) in your
bin and you could trigger it thinking to use the system version.

What *is* dangerous is having . before system directories, especially
on multi-user machines.

In this scenario, user A, who has . in the path before /bin, goes in a
directory of user B and does an 'ls'.

That directory contains an executable called ls that is smart enough
to hide itself. But bastard enough to do something nasty, a Trojan
horse. And user A just brought it within the walls...

-- 
 /\   ___Ubuntu: ancient
/___/\_|_|\_|__|___Gian Uberto Lauri_   African word
  //--\| | \|  |   Integralista GNUslamicomeaning "I can
\/ coltivatore diretto di software   not install
 già sistemista a tempo (altrui) perso...Debian"

Warning: gnome-config-daemon considered more dangerous than GOTO

Re: Why debian put ~/bin beginning of $PATH

[慕 冬亮]

On 08/08/2017 04:56 PM, spp mg wrote:
> 2017-08-09 4:04 GMT+08:00 Michael Lange :
>> Hi,
>>
>> On Wed, 9 Aug 2017 03:11:48 +0800
>> spp mg  wrote:
>>
>>> Hi all
>>>
>>> In the ~/.profile has below default setting:
>>>
>>> --
>>> # set PATH so it includes user's private bin if it exists
>>> if [ -d "$HOME/bin" ] ; then
>>>  PATH="$HOME/bin:$PATH"
>>> fi
>>> --
>>>
>>> Why put ~/bin beginning ? Is that dangerous ?
>> like other people already pointed out there shouldn't be anything
>> dangerous about this.
>> One possible use case is for example that you could put there a
>> minimal script that temporarily overrides some environment variable, like
>> one I have here which reads:
>>
>> #!/bin/bash
>> GTK_IM_MODULE=gtk /usr/bin/poedit $@
>> exit $?
>>
>> This way I can conveniently call "poedit " with the desired
>> setting of GTK_IM_MODULE without either having to type the whole thing
>> each time or else having to permanently change GTK_IM_MODULE's setting
>> (the default value of which I modified for other reasons).
>>
>> Best regards
>>
>> Michael
>>
>> .-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.
>>
>> Fascinating, a totally parochial attitude.
>>  -- Spock, "Metamorphosis", stardate 3219.8
>>
> Thinks to reply (very fast :D)
>
> I think it's may dangerous because generally system command should be
> highter older then user's command.
User's command is usually stored in "/usr/local/bin". It should be 
placed before "/bin" in the $PATH.

And it does in my Debian Stretch.

echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

> For example , some guy put a "rm" but named "ls" to ~/bin . This "ls"
> can be virus or ransomware , user may not know it's not which he
> want("ls").
If someone replace "ls" with "rm", you cannot prevent this by trying to 
put "/bin" at the end of $PATH.

$PATH is used to search executable file. At the head of $PATH is with 
high priority.

If there are two "ls" in different places(one /bin, one /usr/bin) of 
$PATH. It causes different effects(which ls will be executed) whether or 
not you put "/bin" at the end of $PATH
> So I think put ~/bin to tail of $PATH has better security for normal user.
>
> For me, I will avoid use same name with exist command, and for user
> who want use same name , I believe he know or will learn how to modify
> $PATH.
>
>
> I mean , put ~/bin in tail of $PATH will batter for default setting,
> so does developer has another reason to put to beginning ?
>

-- 

---
My best regards to you.

  No System Is Safe!
  Dongliang Mu

Re: Why debian put ~/bin beginning of $PATH

[Greg Wooledge]

On Tue, Aug 08, 2017 at 10:04:32PM +0200, Michael Lange wrote:
> #!/bin/bash
> GTK_IM_MODULE=gtk /usr/bin/poedit $@
> exit $?

Should be:

#!/bin/bash
GTK_IM_MODULE=gtk exec /usr/bin/poedit "$@"

You could also use #!/bin/sh, since this doesn't use any bash extensions.

Re: Why debian put ~/bin beginning of $PATH

[Teemu Likonen]

Teemu Likonen [2017-08-09 07:42:43+03] wrote:

> rm --force "$HOME/bin"

Fix:

rm --force --recursive "$HOME/bin"

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature

Re: Why debian put ~/bin beginning of $PATH

[Teemu Likonen]

spp mg [2017-08-09 04:56:58+08] wrote:

> For example , some guy put a "rm" but named "ls" to ~/bin . This "ls"
> can be virus or ransomware , user may not know it's not which he
> want("ls").

The "some guy" who does that will also modify the ~/.profile file or
similar startup scripts to _ensure_ that their program is in the
beginning of the PATH, no matter what the PATH variable was originally.

If $USER has a malicious program running with their $UID the program can
do everything the $USER can do. It's a game over situation and default
settings in ~/.profile or similar do not matter.

But sometimes it may be useful to write a root-owner startup script (one
example: /etc/X11/Xsession.d/50custom-stuff) which could do something
like

rm --force "$HOME/bin"
cp --recursive --force /etc/skel/. "$HOME"

so that some default files are restored at every login.

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature

Re: Why debian put ~/bin beginning of $PATH

[Michael Lange]

Hi,

On Wed, 9 Aug 2017 04:56:58 +0800
spp mg  wrote:

(...)
> For example , some guy put a "rm" but named "ls" to ~/bin . This "ls"
> can be virus or ransomware , user may not know it's not which he
> want("ls").

a user without administrator privilege can generally put "malware"
anywhere in *his own* home directory and it could possibly cause the same
damage from there (if the system is configured properly hopefully not
that much), so this does not matter, I think.

I think you forget that your "some guy" must be either the user him- or
herself or the system administrator (root)! If your users or
sysadmins desperately want to shoot themselves in the foot, don't worry,
they will find some way, you will not be able to stop them. But why would
normal people do such a thing? And any malware programmer who secretly
"injects" something bad into your system will probably not rely on ~/bin
being at the start of PATH, these people have other ways.

> 
> So I think put ~/bin to tail of $PATH has better security for normal
> user.

Why? If the user puts a program called "evilmalware" there, it simply
does not matter where in PATH it is. And when the user does something
sane instead, as in my "poedit" example, it will no longer work :(

> 
> For me, I will avoid use same name with exist command, and for user
> who want use same name , I believe he know or will learn how to modify
> $PATH.
> 
> 
> I mean , put ~/bin in tail of $PATH will batter for default setting,
> so does developer has another reason to put to beginning ?

I think the reason is exactly as I and others have said, the benefit to
security you get by omitting ~/bin from the beginning of PATH is more
"feeling" than "reality", the real dangers are waiting somewhere else :)
And the benefit of this default setting is that a user without privilege
may override a system default command. 

Best regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

Where there's no emotion, there's no motive for violence.
-- Spock, "Dagger of the Mind", stardate 2715.1

Re: Why debian put ~/bin beginning of $PATH

[spp mg]

2017-08-09 4:04 GMT+08:00 Michael Lange :
> Hi,
>
> On Wed, 9 Aug 2017 03:11:48 +0800
> spp mg  wrote:
>
>> Hi all
>>
>> In the ~/.profile has below default setting:
>>
>> --
>> # set PATH so it includes user's private bin if it exists
>> if [ -d "$HOME/bin" ] ; then
>> PATH="$HOME/bin:$PATH"
>> fi
>> --
>>
>> Why put ~/bin beginning ? Is that dangerous ?
>
> like other people already pointed out there shouldn't be anything
> dangerous about this.
> One possible use case is for example that you could put there a
> minimal script that temporarily overrides some environment variable, like
> one I have here which reads:
>
> #!/bin/bash
> GTK_IM_MODULE=gtk /usr/bin/poedit $@
> exit $?
>
> This way I can conveniently call "poedit " with the desired
> setting of GTK_IM_MODULE without either having to type the whole thing
> each time or else having to permanently change GTK_IM_MODULE's setting
> (the default value of which I modified for other reasons).
>
> Best regards
>
> Michael
>
> .-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.
>
> Fascinating, a totally parochial attitude.
> -- Spock, "Metamorphosis", stardate 3219.8
>

Thinks to reply (very fast :D)

I think it's may dangerous because generally system command should be
highter older then user's command.

For example , some guy put a "rm" but named "ls" to ~/bin . This "ls"
can be virus or ransomware , user may not know it's not which he
want("ls").

So I think put ~/bin to tail of $PATH has better security for normal user.

For me, I will avoid use same name with exist command, and for user
who want use same name , I believe he know or will learn how to modify
$PATH.


I mean , put ~/bin in tail of $PATH will batter for default setting,
so does developer has another reason to put to beginning ?

Re: Why debian put ~/bin beginning of $PATH

[Michael Lange]

Hi,

On Wed, 9 Aug 2017 03:11:48 +0800
spp mg  wrote:

> Hi all
> 
> In the ~/.profile has below default setting:
> 
> --
> # set PATH so it includes user's private bin if it exists
> if [ -d "$HOME/bin" ] ; then
> PATH="$HOME/bin:$PATH"
> fi
> --
> 
> Why put ~/bin beginning ? Is that dangerous ?

like other people already pointed out there shouldn't be anything
dangerous about this.
One possible use case is for example that you could put there a
minimal script that temporarily overrides some environment variable, like
one I have here which reads:

#!/bin/bash
GTK_IM_MODULE=gtk /usr/bin/poedit $@
exit $?

This way I can conveniently call "poedit " with the desired
setting of GTK_IM_MODULE without either having to type the whole thing
each time or else having to permanently change GTK_IM_MODULE's setting
(the default value of which I modified for other reasons).

Best regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

Fascinating, a totally parochial attitude.
-- Spock, "Metamorphosis", stardate 3219.8

Re: Why debian put ~/bin beginning of $PATH

[Nicolas George]

Le duodi 22 thermidor, an CCXXV, spp mg a écrit :
> Why put ~/bin beginning ? Is that dangerous ?

No.

-- 
  Nicolas George

Re: Why debian put ~/bin beginning of $PATH

[John Elliot V]

On 09/08/17 05:11, spp mg wrote:
> In the ~/.profile has below default setting:
> 
> --
> # set PATH so it includes user's private bin if it exists
> if [ -d "$HOME/bin" ] ; then
> PATH="$HOME/bin:$PATH"
> fi
> --
> 
> Why put ~/bin beginning ?

So that your own stuff has precedence...

> Is that dangerous ?

Not really. Only you or a system administrator would have write access
to ~/bin. What makes you think it might be dangerous?

-- 
E: j...@jj5.net
P: +61 4 3505 7839
W: https://www.jj5.net/
<>