Web lists-archives.com

Re: Why debian put ~/bin beginning of $PATH




On Wed 09 Aug 2017 at 18:04:56 (+0200), Gian Uberto Lauri wrote:

> Having ~/bin before /bin and /usr/bin (and /usr/local/bin) is of no
> harm at all if your account is safe enough.
> 
> If and only if someone can log on with your account, she can put a
> malicious copy/wrapper of a system command (ls to name one) in your
> bin and you could trigger it thinking to use the system version.
> 
> What *is* dangerous is having . before system directories, especially
> on multi-user machines.
> 
> In this scenario, user A, who has . in the path before /bin, goes in a
> directory of user B and does an 'ls'.
> 
> That directory contains an executable called ls that is smart enough
> to hide itself. But bastard enough to do something nasty, a Trojan
> horse. And user A just brought it within the walls...

While putting . _anywhere_ in PATH would be stupid, there is a more
insidious trap for the unaware, namely mistaking : for a delimiter
instead of a separator.

An extra colon (anywhere) will yield a null entry.

A null entry in PATH is treated as the current directory.

Examples:   foo:bar:   foo::bar   :foo:bar   and obviously   :foo:bar:

Cheers,
David.