Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

- Original Message - > From: "Sorin Sbarnea" > To: "Miro Hrončok" > Cc: "Development discussions related to Fedora" > > Sent: Tuesday, May 29, 2018 11:19:02 AM > Subject: Re: Prioritizing ~/.local/bin over /usr/bin on the PATH > >

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Mon, 25 Jun 2018 at 13:02, Zbigniew Jędrzejewski-Szmek wrote: [..] > > not really in the first scenario I gave the user decided to change > > his environment and despite warnings shot himself in the foot, in > > the second the user was handed a loaded gun with no safety and also > > managed to

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Hi, On 06/22/2018 02:25 PM, Till Maas wrote: > [...] >> I think you keep putting some kind of base standard on the hypothetical >> attacker and then your argument is "if they can do X then they can do >> Y". Because we're both SW engineers, the relation between X and Y is >> obvious to us, so

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Mon, Jun 25, 2018 at 11:14:37AM +0100, Iain Rae wrote: > > > On 25/06/18 10:20, Zbigniew Jędrzejewski-Szmek wrote: > >On Mon, Jun 25, 2018 at 12:21:46AM +0100, Iain Rae wrote: > >>On 22/06/18 20:56, Till Maas wrote: > >>>On Fri, Jun 22, 2018 at 07:24:54PM +0200, Björn Persson wrote: >

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 25/06/18 10:20, Zbigniew Jędrzejewski-Szmek wrote: On Mon, Jun 25, 2018 at 12:21:46AM +0100, Iain Rae wrote: On 22/06/18 20:56, Till Maas wrote: On Fri, Jun 22, 2018 at 07:24:54PM +0200, Björn Persson wrote: Till Maas wrote: I do not see any reason why a user would put something in

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Mon, Jun 25, 2018 at 12:21:46AM +0100, Iain Rae wrote: > On 22/06/18 20:56, Till Maas wrote: > >On Fri, Jun 22, 2018 at 07:24:54PM +0200, Björn Persson wrote: > >>Till Maas wrote: > >>>I do not see any reason why a user would put something in ~/bin that > >>>would mask something in /usr/bin

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 22/06/18 20:56, Till Maas wrote: On Fri, Jun 22, 2018 at 07:24:54PM +0200, Björn Persson wrote: Till Maas wrote: I do not see any reason why a user would put something in ~/bin that would mask something in /usr/bin except to actually mask the binary. It is the same with other user

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 06/24/2018 04:17 PM, Tomasz Kłoczko wrote: > On Sun, 24 Jun 2018 at 20:32, Björn Persson wrote: > [..] >> Yes. There is no order that is obviously best for all purposes. >> >> I know at least one well-designed programming language where, if two >> declarations have the same identifier but in

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Sun, 24 Jun 2018 at 20:32, Björn Persson wrote: [..] > Yes. There is no order that is obviously best for all purposes. > > I know at least one well-designed programming language where, if two > declarations have the same identifier but in different namespaces, and > both of those namespaces

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Till Maas wrote: > On Fri, Jun 22, 2018 at 07:24:54PM +0200, Björn Persson wrote: > > Till Maas wrote: > > > I do not see any reason why a user would put something in ~/bin that > > > would mask something in /usr/bin except to actually mask the binary. It > > > is the same with other user

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Fri, 22 Jun 2018 at 18:31, Björn Persson wrote: [..] > > Would you consider now classify such change as serious vulnerability > > introduction? > > If you state a falsehood again and again it will eventually become true? So I'm guessing that answering on the question why /usr/local based

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Fri, Jun 22, 2018 at 07:24:54PM +0200, Björn Persson wrote: > Till Maas wrote: > > I do not see any reason why a user would put something in ~/bin that > > would mask something in /usr/bin except to actually mask the binary. It > > is the same with other user configuration, anyone expects

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Fri, Jun 22, 2018 at 05:01:38PM +0100, Tomasz Kłoczko wrote: > On Fri, 22 Jun 2018 at 13:36, Till Maas wrote: > [..] > > > The attacker could have looked up the exploit on the web. > > > > If it is a public exploit, then it is usually fixed by updates, > > especially if the impact is that big.

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Till Maas wrote: > I do not see any reason why a user would put something in ~/bin that > would mask something in /usr/bin except to actually mask the binary. It > is the same with other user configuration, anyone expects ~/.ssh/config > to override /etc/ssh/ssh_config instead of the other way

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Tomasz Kłoczko wrote: > Just FTR. > If Fedora maintainers will decide to put ~/.local/bin over /usr/bin on > the $PATH it will be possible to control over ~/.local/bin/id (and/or > many more similar commands) what happens on begin of the user login > session. None of the packages updates (except

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Fri, Jun 22, 2018 at 05:01:38PM +0100, Tomasz Kłoczko wrote: > If Fedora maintainers will decide to put ~/.local/bin over /usr/bin on > the $PATH it will be possible to control over ~/.local/bin/id (and/or > many more similar commands) what happens on begin of the user login > session. None of

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Fri, 22 Jun 2018 at 13:52, Till Maas wrote: [..] > No, it does not change everything as attackers can also just copy > desktop files with other Exec-Keys to > > /home/till/.local/share/applications, for example like this: > > sed -e s,Exec=.*,Exec=xmessage\ pwned, >

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Fri, 22 Jun 2018 at 13:36, Till Maas wrote: [..] > > The attacker could have looked up the exploit on the web. > > If it is a public exploit, then it is usually fixed by updates, > especially if the impact is that big. A user not installing > security updates is a scenario I consider not worth

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Mon, Jun 18, 2018 at 02:17:43PM +0100, Tomasz Kłoczko wrote: > For example in case of have /usr/local/bin/id you can observe that > gnome-terminal started from command line and GUI menu are altere. > In other words this effect is literally spreads as well across most of > the

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Sat, Jun 16, 2018 at 01:17:57PM -0400, Nico Kadel-Garcia wrote: > * Stolen passwords from penetrated hosts, used for SSH connections. > Copying a file to $HOME/.local/bin requires far less scripting and > awareness of existing contents than editing of .bashrc or .profile > that reveals

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Fri, Jun 15, 2018 at 06:56:16PM +0200, Alois Mahdal wrote: > > > On 06/15/2018 11:24 AM, Till Maas wrote: > > ...] > > > >> What I'm trying to say is that with these kinds of attack (like viruses, > >> or exploits on massively accessed page), there is inevitably going to be > >> some sort of

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Nico Kadel-Garcia wrote: > On Sat, Jun 16, 2018 at 11:38 AM, Björn Persson wrote: > > Nico Kadel-Garcia wrote: > >> On Fri, Jun 15, 2018 at 12:55 PM, Till Maas wrote: > >> > So the assumption is to have a super sophisticated browser exploit for > >> > which > >> > an attacker most likely

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Ian Malone wrote: > 1. For example, a kiosk mode, where the home directory is wiped each > login would be made less secure. The profile for the GUI is set at > login, so writing .bash_profile has no effect on the GUI environment, > but an attacker able to place files where the user has write >

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Mon, Jun 18, 2018 at 04:48:43PM +0200, Vít Ondruch wrote: > > https://fedoraproject.org/wiki/Fedora_Kiosk > It does not look to be maintained ... It seems to have never been completed. Note the category "Spins in Development", as well as this bit: The most recent blog post by the developer

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Dne 18.6.2018 v 16:30 Tomasz Kłoczko napsal(a): > On Mon, 18 Jun 2018 at 14:58, Vít Ondruch wrote: > [..] >> Forgive my ignorance, but where is the option to install Fedora in Kiosk >> mode? I am asking, because I am not aware about any option like this, >> hence this needs IMO some

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Mon, 18 Jun 2018 at 14:58, Vít Ondruch wrote: [..] > Forgive my ignorance, but where is the option to install Fedora in Kiosk > mode? I am asking, because I am not aware about any option like this, > hence this needs IMO some configuration and if you configure the > computer to run in Kiosk

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Dne 18.6.2018 v 00:13 Ian Malone napsal(a): > On 16 June 2018 at 13:50, Björn Persson wrote: >> Tomasz Kłoczko wrote: >>> On Fri, 15 Jun 2018 at 23:21, Björn Persson wrote: >>> [..] Don't forget that if your proof of concept can be modified to either overwrite or append to ~/.bashrc,

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Mon, 18 Jun 2018 at 12:18, Ian Malone wrote: [..] > > Even if .bash_profile is not always read, .bashrc is read every time > > a shell is started (OK, not "every time", but often enough). So for > > example if I open a new tab in the terminal, or run some scripting plugin > > from an editor,

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 18 June 2018 at 11:27, Zbigniew Jędrzejewski-Szmek wrote: > On Sun, Jun 17, 2018 at 11:13:39PM +0100, Ian Malone wrote: >> On 16 June 2018 at 13:50, Björn Persson wrote: >> > Tomasz Kłoczko wrote: >> >> On Fri, 15 Jun 2018 at 23:21, Björn Persson wrote: >> >> [..] >> >> > Don't forget that

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Sun, Jun 17, 2018 at 11:13:39PM +0100, Ian Malone wrote: > On 16 June 2018 at 13:50, Björn Persson wrote: > > Tomasz Kłoczko wrote: > >> On Fri, 15 Jun 2018 at 23:21, Björn Persson wrote: > >> [..] > >> > Don't forget that if your proof of concept can be modified to either > >> > overwrite or

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 18 June 2018 at 00:49, Tomasz Kłoczko wrote: > On Sun, 17 Jun 2018 at 23:23, Ian Malone wrote: > [..] >> Well, two things: >> >> 1. For example, a kiosk mode, where the home directory is wiped each >> login would be made less secure. The profile for the GUI is set at >> login, so writing

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Sun, 17 Jun 2018 at 23:23, Ian Malone wrote: [..] > Well, two things: > > 1. For example, a kiosk mode, where the home directory is wiped each > login would be made less secure. The profile for the GUI is set at > login, so writing .bash_profile has no effect on the GUI environment, > but an

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Sun, 17 Jun 2018 at 20:03, Matthew Miller wrote: [..] > > Prioritizing security issues is only possible in context of the RISK. > > That's only part of the equation. Practical security has to fairly > assess and balance risk _against requirements_. Please back to the equation and

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 16 June 2018 at 13:50, Björn Persson wrote: > Tomasz Kłoczko wrote: >> On Fri, 15 Jun 2018 at 23:21, Björn Persson wrote: >> [..] >> > Don't forget that if your proof of concept can be modified to either >> > overwrite or append to ~/.bashrc, then it's irrelevant to this debate. >> >> before

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Sun, Jun 17, 2018 at 10:03:30AM +0100, Tomasz Kłoczko wrote: > Przemek .. what you mean "this is NOT a serious security issue"? > Is it possible to be not serious pregnant? > Something IS security issue or NOT at all. Isn't it? > There are ONLY TWO possible states in context of security, and

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Tomasz Kłoczko wrote: > Just please add /usr/local/bin/id text file with content: > > #!/bin/sh > echo "No one expects The Spanish Inquisition!" > exec /usr/bin/id $* I can't: bash: /usr/local/bin/id: Permission denied Björn Persson pgpmM0qMeoYoJ.pgp Description: OpenPGP digital signatur

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Sun, 17 Jun 2018 at 03:18, Przemek Klosowski wrote: [..] > I have mixed feelings about that. On one hand, I agree that this is NOT > a serious security issue (it's essentially a local compromise requiring > an existing local compromise), so if someone claims it'll make their > life easier, I

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 06/16/2018 01:17 PM, Nico Kadel-Garcia wrote: > On Sat, Jun 16, 2018 at 11:38 AM, Björn Persson wrote: >> Nico Kadel-Garcia wrote: >>> On Fri, Jun 15, 2018 at 12:55 PM, Till Maas wrote: So the assumption is to have a super sophisticated browser exploit for which an attacker

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Sat, Jun 16, 2018 at 11:38 AM, Björn Persson wrote: > Nico Kadel-Garcia wrote: >> On Fri, Jun 15, 2018 at 12:55 PM, Till Maas wrote: >> > So the assumption is to have a super sophisticated browser exploit for >> > which >> > an attacker most likely spent several days to find it and then the

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Nico Kadel-Garcia wrote: > On Fri, Jun 15, 2018 at 12:55 PM, Till Maas wrote: > > So the assumption is to have a super sophisticated browser exploit for which > > an attacker most likely spent several days to find it and then the PATH > > setting will make it so much harder that the exploit will

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Fri, Jun 15, 2018 at 12:55 PM, Till Maas wrote: > So the assumption is to have a super sophisticated browser exploit for which > an attacker most likely spent several days to find it and then the PATH > setting will make it so much harder that the exploit will not succeed? There > are a lot

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Tomasz Kłoczko wrote: > On Fri, 15 Jun 2018 at 23:21, Björn Persson wrote: > [..] > > Don't forget that if your proof of concept can be modified to either > > overwrite or append to ~/.bashrc, then it's irrelevant to this debate. > > before ~/.bashrc is executed many other scripts executions

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Fri, 15 Jun 2018 at 23:21, Björn Persson wrote: [..] > Don't forget that if your proof of concept can be modified to either > overwrite or append to ~/.bashrc, then it's irrelevant to this debate. Is it really so hard to execute "strace -trace=openat,stat bash -l" to spot that before

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 15/06/18 19:52, Przemek Klosowski wrote: > I have mixed feelings about that. On one hand,  I agree that this is NOT > a serious security issue (it's essentially a local compromise requiring > an existing local compromise), so if someone claims it'll make their > life easier, I want to say

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 06/15/2018 07:30 AM, Tomasz Kłoczko wrote: Nevertheless still no one answered on very simple question. So I'll repeat it: Why Fedora_must_ offer OOTB ~/.local/bin, /usr/local{s,}bin paths on the front of the $PATH in OOTB settings? The churn in some software (javascript, python, ...) is

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Hi, Am 15.06.2018 um 00:50 schrieb Alois Mahdal: On 06/14/2018 11:37 PM, Till Maas wrote: Hi, On Thu, Jun 14, 2018 at 04:19:27PM +0200, Alois Mahdal wrote: On 06/14/2018 08:40 AM, Zbigniew Jędrzejewski-Szmek wrote: What about attack success rate? But if the attacker is some browser

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 06/15/2018 11:24 AM, Till Maas wrote: > ...] > >> What I'm trying to say is that with these kinds of attack (like viruses, >> or exploits on massively accessed page), there is inevitably going to be >> some sort of economic decision on side of author affecting how "smart" >> they want the

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Tomasz Kłoczko wrote: > Many people here gently been pointing on the issue without showing > real POC how to use this. > I think that it may force someone to put publically some POC showing > how to use this. > I see almost between the lines that I'm not only person here which > such POC already

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

I am late to the discussion, and a lot of them are related to the security implications. I am more worried about users overriding dependencies of other programs. Let me explain with a hypothetical case: 1- There is a system installed application that manipulates PDFs and has a requirement to

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Thu, 14 Jun 2018 at 17:53, Zbigniew Jędrzejewski-Szmek wrote: [..] > We put the bar for _security_ measures much higher then mere inconvenience. > In fact we know that users have been installing software in ~/ > successfully before this change, and it doesn't allow them to do > anything they

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 06/14/2018 11:37 PM, Till Maas wrote: > Hi, > > On Thu, Jun 14, 2018 at 04:19:27PM +0200, Alois Mahdal wrote: > >> On 06/14/2018 08:40 AM, Zbigniew Jędrzejewski-Szmek wrote: > >> What about attack success rate? > >> But if the attacker is some browser exploit able to take a shot at many

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Hi, On Thu, Jun 14, 2018 at 04:56:32PM -0400, Stephen John Smoogen wrote: > Look, people keep asking why it was like this. I am trying to explain > it. I am not defending it or saying we have to keep doing it that Thank you very much. I appreciate it to know the history and see that I am not

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Hi, On Thu, Jun 14, 2018 at 04:19:27PM +0200, Alois Mahdal wrote: > On 06/14/2018 08:40 AM, Zbigniew Jędrzejewski-Szmek wrote: > What about attack success rate? > But if the attacker is some browser exploit able to take a shot at many > users (not knowing what their OS, let alone default $PATH

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 14 June 2018 at 16:23, Till Maas wrote: > On Wed, Jun 13, 2018 at 05:28:03PM -0400, Stephen John Smoogen wrote: > >> and some other remote filesystem which were common in universities and >> thought safe by itself. Or the attack would be done by controlling one >> host with root permissions

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Wed, Jun 13, 2018 at 05:28:03PM -0400, Stephen John Smoogen wrote: > The usual culprit in the past has been where an attacker gets access > via a chrooted or container environment where they only have access to > a limited set of directories. A long time ago this was done via ftp I read this

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

(Again, I'm not infosec expert, I'm just pulling from what I've randomly heard/read/learned through my time in QA and SW engineering.) On 06/14/2018 08:40 AM, Zbigniew Jędrzejewski-Szmek wrote: > [...] > hatever their privelege level might be. >>> >>> Executable directory? If you have power

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Wed, Jun 13, 2018 at 06:28:47PM +0200, Alois Mahdal wrote: > Hi, > > I'm no infosec expert, but... > > On 06/12/2018 07:31 PM, Miro Hrončok wrote: > > > > On 12.6.2018 19:20, Howard Howell wrote: > >> I haven't followed all of this thread, too self busy.  However there is > >> a security

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 13 June 2018 at 17:34, Samuel Sieb wrote: > On 06/13/2018 02:28 PM, Stephen John Smoogen wrote: >> >> directories needed to be at the end of the path. It was also linked to >> the reason not to put . in the path. > > > I thought the reason to not put . in the path was because you could be >

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 06/13/2018 02:28 PM, Stephen John Smoogen wrote: directories needed to be at the end of the path. It was also linked to the reason not to put . in the path. I thought the reason to not put . in the path was because you could be looking in someone else's folder and they could have put an

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 13 June 2018 at 17:04, Till Maas wrote: > On Tue, Jun 12, 2018 at 08:43:06AM -0400, Matthew Miller wrote: >> On Tue, Jun 12, 2018 at 07:50:29AM -0400, Nico Kadel-Garcia wrote: >> > The simple fact is that "sudo" inherits $HOME and $PATH by default. >> >> Not in Fedora's default configuration.

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Tue, Jun 12, 2018 at 08:43:06AM -0400, Matthew Miller wrote: > On Tue, Jun 12, 2018 at 07:50:29AM -0400, Nico Kadel-Garcia wrote: > > The simple fact is that "sudo" inherits $HOME and $PATH by default. > > Not in Fedora's default configuration. And, this proposal increases my > support for

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Hi, On Wed, Jun 13, 2018 at 06:28:47PM +0200, Alois Mahdal wrote: > I've seen many examples with .bashrc, but .bashrc only does it for bash > (and only in interactive mode, IIRC). One has to do it for something > like .xsessionrc -- frankly I'm not sure if there is such file that applies. > >

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Once upon a time, Alois Mahdal said: > I've seen many examples with .bashrc, but .bashrc only does it for bash > (and only in interactive mode, IIRC). One has to do it for something > like .xsessionrc -- frankly I'm not sure if there is such file that applies. The desktop environment is run via

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Hi, I'm no infosec expert, but... On 06/12/2018 07:31 PM, Miro Hrončok wrote: > > On 12.6.2018 19:20, Howard Howell wrote: >> I haven't followed all of this thread, too self busy.  However there is >> a security argument.  If you have a local executable directory, then >> the capability for

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Wed, Jun 13, 2018 at 11:17:25AM +0200, Reindl Harald wrote: > > > Am 13.06.2018 um 11:11 schrieb Daniel P. Berrangé: > > On Tue, Jun 12, 2018 at 08:00:26PM +0200, Reindl Harald wrote: > >> > >> Am 12.06.2018 um 19:45 schrieb Daniel P. Berrangé: > >>> On Tue, Jun 12, 2018 at 10:20:46AM -0700,

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Tue, Jun 12, 2018 at 08:00:26PM +0200, Reindl Harald wrote: > > > Am 12.06.2018 um 19:45 schrieb Daniel P. Berrangé: > > On Tue, Jun 12, 2018 at 10:20:46AM -0700, Howard Howell wrote: > >> I haven't followed all of this thread, too self busy. However there is > >> a security argument. If

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Tue, Jun 12, 2018 at 08:26:52PM +0200, Miro Hrončok wrote: > On 12.6.2018 20:15, Reindl Harald wrote: > >>This is more like a security by obscurity approach. This "another layer" > >>is just one step. It's like putting a duct tape over a keyhole and call > >>it extra security > >bullshit >

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 12.6.2018 20:15, Reindl Harald wrote: This is more like a security by obscurity approach. This "another layer" is just one step. It's like putting a duct tape over a keyhole and call it extra security bullshit Thanks for the tone, it is very helpful. when the exploit is naively written

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 12.6.2018 19:57, Reindl Harald wrote: Am 12.06.2018 um 19:31 schrieb Miro Hrončok: On 12.6.2018 19:20, Howard Howell wrote: I haven't followed all of this thread, too self busy.  However there is a security argument.  If you have a local executable directory, then the capability for

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Tue, Jun 12, 2018 at 10:20:46AM -0700, Howard Howell wrote: > I haven't followed all of this thread, too self busy. However there is > a security argument. If you have a local executable directory, then > the capability for malicious software to attach is wide open for that > user, whatever

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 12.6.2018 19:20, Howard Howell wrote: I haven't followed all of this thread, too self busy. However there is a security argument. If you have a local executable directory, then the capability for malicious software to attach is wide open for that user, whatever their privelege level might

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Tue, 2018-06-12 at 12:10 +0100, Tomasz Kłoczko wrote: > On Mon, 11 Jun 2018 at 12:28, Miro Hrončok > wrote: > [..] > > See the change description. > > OK So here is quoted original email with proposal. > > "I'd like to propose putting the ~/.local/bin in front of the > /usr/bin on > the

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Tue, Jun 12, 2018 at 07:50:29AM -0400, Nico Kadel-Garcia wrote: > The simple fact is that "sudo" inherits $HOME and $PATH by default. Not in Fedora's default configuration. And, this proposal increases my support for keeping that as it is (with secure_path set). -- Matthew Miller Fedora

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 06/12/2018 07:50 AM, Nico Kadel-Garcia wrote: > On Tue, Jun 12, 2018 at 7:10 AM, Tomasz Kłoczko > wrote: > >> Just FTR: So far I was unable to find in any of the fredesktop.org or >> other specs (https://www.freedesktop.org/wiki/Software/) things like >> requirement use /usr/local{bi,sbin} or

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Tue, Jun 12, 2018 at 07:50:29AM -0400, Nico Kadel-Garcia wrote: > On Tue, Jun 12, 2018 at 7:10 AM, Tomasz Kłoczko > wrote: > > > Just FTR: So far I was unable to find in any of the fredesktop.org or > > other specs (https://www.freedesktop.org/wiki/Software/) things like > > requirement use

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 12.6.2018 13:50, Nico Kadel-Garcia wrote: On Tue, Jun 12, 2018 at 7:10 AM, Tomasz Kłoczko wrote: Just FTR: So far I was unable to find in any of the fredesktop.org or other specs (https://www.freedesktop.org/wiki/Software/) things like requirement use /usr/local{bi,sbin} or ~.local/bin in

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Tue, Jun 12, 2018 at 7:10 AM, Tomasz Kłoczko wrote: > Just FTR: So far I was unable to find in any of the fredesktop.org or > other specs (https://www.freedesktop.org/wiki/Software/) things like > requirement use /usr/local{bi,sbin} or ~.local/bin in $PATH (and > especially on the front of

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Mon, 11 Jun 2018 at 12:28, Miro Hrončok wrote: [..] > See the change description. OK So here is quoted original email with proposal. "I'd like to propose putting the ~/.local/bin in front of the /usr/bin on the PATH. Currently /usr/bin has priority over ~/.local/bin, which causes a [bug]

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 11.6.2018 13:05, Tomasz Kłoczko wrote:> I would be way more interested of real arguments about why someone is trying to add those $PATH modifications. So far only "argument is that someone proposed those changes without justification except that some other people added something like this to

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Sun, 10 Jun 2018 at 21:02, Sorin Sbarnea wrote: > > Well said, there is no catchy name for this (virtual) security threat. We > will have to let one of those that oppose this proposal to find a caching > name (PATHEXIT?), maybe even build a paper explaining how to mitigate it. > > I am bit

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 7.6.2018 10:37, Miro Hrončok wrote: On 7.6.2018 10:21, Sorin Sbarnea wrote: Now that we have a change proposal, how to continue? To get it accepted or rejected, is there a way/process that we need to follow? Mark the change ready for wrangler. I've just did. -- Miro Hrončok -- Phone:

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 7.6.2018 10:21, Sorin Sbarnea wrote: Now that we have a change proposal, how to continue? To get it accepted or rejected, is there a way/process that we need to follow? Mark the change ready for wrangler. -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Well said, there is no catchy name for this (virtual) security threat. We will have to let one of those that oppose this proposal to find a caching name (PATHEXIT?), maybe even build a paper explaining how to mitigate it. I am bit disappointed because other distributions fixed it, even twice

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On Tue, May 29, 2018 at 05:18:48PM +0100, Tomasz Kłoczko wrote: > On 29 May 2018 at 15:24, Till Maas wrote: > > This is also not a serious security threat. > > > > And this claim bases on what kind of facts? > Can you prove this? Sure, there is no logo or catchy name for it. Kind regards Till

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 29 May 2018 at 15:24, Till Maas wrote: > Hi, > > On Tue, May 29, 2018 at 01:44:00PM +0100, Tomasz Kłoczko wrote: > > > Just try to grep across /usr for /usr/local. This is not only about > $PATH. > > Many scripts, programs or configuration files have HARDCODED checking > > availability of

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 29.5.2018 16:22, Tomasz Kłoczko wrote: On 29 May 2018 at 13:57, Miro Hrončok > wrote: On 29.5.2018 14:44, Tomasz Kłoczko wrote: This connected with using env in many current packages adds next batch of possibilities. Agreed. Hence we

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Hi, On Tue, May 29, 2018 at 01:44:00PM +0100, Tomasz Kłoczko wrote: > Just try to grep across /usr for /usr/local. This is not only about $PATH. > Many scripts, programs or configuration files have HARDCODED checking > availability of some resources or executables in /usr/local before start >

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 29 May 2018 at 13:57, Miro Hrončok wrote: > On 29.5.2018 14:44, Tomasz Kłoczko wrote: > >> This connected with using env in many current packages adds next batch of >> possibilities. >> > > Agreed. Hence we try to fight env shebangs by brp scripts. Problem is that this bpr script brs been

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 29.5.2018 14:44, Tomasz Kłoczko wrote: This connected with using env in many current packages adds next batch of possibilities. Agreed. Hence we try to fight env shebangs by brp scripts. -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok ___

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 29 May 2018 at 10:37, Till Maas wrote: > Hi, > > On Tue, May 29, 2018 at 10:19:44AM +0100, Tomasz Kłoczko wrote: > > > distribution binaries is extremely dangerous, and I'm really surprised > that > > no one looks on those already discussed here issues (and few similar or > > related) as

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 29.5.2018 12:48, Zbigniew Jędrzejewski-Szmek wrote: On Tue, May 29, 2018 at 10:19:02AM +0100, Sorin Sbarnea wrote: I ended up creating https://fedoraproject.org/wiki/Changes/UserPathPrioritization and I invite others to improve its description. A very nice description. Can you add some

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

> On Tue, May 29, 2018 at 10:19:02AM +0100, Sorin Sbarnea wrote: > > I ended up creating > > https://fedoraproject.org/wiki/Changes/UserPathPrioritization and I invite > > others to improve its description. A very nice description. Can you add some hints on what needs to change (/etc/profile?).

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Hi, On Tue, May 29, 2018 at 10:19:02AM +0100, Sorin Sbarnea wrote: > I ended up creating > https://fedoraproject.org/wiki/Changes/UserPathPrioritization and I invite > others to improve its description. awesome, I was about to do the same, therefore I added myself as second owner to express that

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Hi, On Tue, May 29, 2018 at 10:19:44AM +0100, Tomasz Kłoczko wrote: > distribution binaries is extremely dangerous, and I'm really surprised that > no one looks on those already discussed here issues (and few similar or > related) as SERIOUS SECURITY TREAT to whole distribution. IIRC enough

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 29 May 2018 at 09:25, Miro Hrončok wrote: > > > On 29.5.2018 09:34, Sorin Sbarnea wrote: > >> What do we need to do to make Fedora do the right thing (add it to the >> top of the list), just like Debian/Ubuntu. I am sure that they had similar >> discussions and in the end they decided to do

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

I ended up creating https://fedoraproject.org/wiki/Changes/UserPathPrioritization and I invite others to improve its description. -- /sorin On Tue, May 29, 2018 at 9:25 AM, Miro Hrončok wrote: > > > On 29.5.2018 09:34, Sorin Sbarnea wrote: > >> What do we need to do to make Fedora do the right

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 29.5.2018 09:34, Sorin Sbarnea wrote: What do we need to do to make Fedora do the right thing (add it to the top of the list), just like Debian/Ubuntu. I am sure that they had similar discussions and in the end they decided to do the right thing. A Fedora change proposal.

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Does this discussion had any outcomes? I tried to find any conclusions in the thread but I missed to spot them. I am asking this because I was redirected to this thread after I opened a bug on RHEL for the same issue, bug that was closed hours later as NOTABUG, something I do not agree with.

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

Panu Matilainen wrote: > On 05/04/2018 04:42 PM, John Florian wrote: > > Just checking my own PATH, I see some surprising things at the front: > > > > $  echo $PATH > > /usr/libexec/python3-sphinx:/usr/lib64/qt-3.3/bin:/usr/lib64/ccache:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

On 05/04/2018 04:42 PM, John Florian wrote: On 2018-05-04 09:33, Stephen John Smoogen wrote: I would do so for the following reasons: 1. Even though the security arguments are weak, they are going to be checkmarks on audits which can't be changed for years. 2. When someone gets a "remove this

  1   2   >