Web lists-archives.com

Re: Why debian put ~/bin beginning of $PATH




Hi,

On Wed, 9 Aug 2017 04:56:58 +0800
spp mg <sm.sppmg@xxxxxxxxx> wrote:

(...)
> For example , some guy put a "rm" but named "ls" to ~/bin . This "ls"
> can be virus or ransomware , user may not know it's not which he
> want("ls").

a user without administrator privilege can generally put "malware"
anywhere in *his own* home directory and it could possibly cause the same
damage from there (if the system is configured properly hopefully not
that much), so this does not matter, I think.

I think you forget that your "some guy" must be either the user him- or
herself or the system administrator (root)! If your users or
sysadmins desperately want to shoot themselves in the foot, don't worry,
they will find some way, you will not be able to stop them. But why would
normal people do such a thing? And any malware programmer who secretly
"injects" something bad into your system will probably not rely on ~/bin
being at the start of PATH, these people have other ways.

> 
> So I think put ~/bin to tail of $PATH has better security for normal
> user.

Why? If the user puts a program called "evilmalware" there, it simply
does not matter where in PATH it is. And when the user does something
sane instead, as in my "poedit" example, it will no longer work :(

> 
> For me, I will avoid use same name with exist command, and for user
> who want use same name , I believe he know or will learn how to modify
> $PATH.
> 
> 
> I mean , put ~/bin in tail of $PATH will batter for default setting,
> so does developer has another reason to put to beginning ?

I think the reason is exactly as I and others have said, the benefit to
security you get by omitting ~/bin from the beginning of PATH is more
"feeling" than "reality", the real dangers are waiting somewhere else :)
And the benefit of this default setting is that a user without privilege
may override a system default command. 

Best regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

Where there's no emotion, there's no motive for violence.
		-- Spock, "Dagger of the Mind", stardate 2715.1