Re: Why debian put ~/bin beginning of $PATH
- Date: Wed, 9 Aug 2017 11:57:53 -0500
- From: David Wright <deblis@xxxxxxxxxxxxxxxxx>
- Subject: Re: Why debian put ~/bin beginning of $PATH
On Wed 09 Aug 2017 at 18:04:56 (+0200), Gian Uberto Lauri wrote:
> Having ~/bin before /bin and /usr/bin (and /usr/local/bin) is of no
> harm at all if your account is safe enough.
> If and only if someone can log on with your account, she can put a
> malicious copy/wrapper of a system command (ls to name one) in your
> bin and you could trigger it thinking to use the system version.
> What *is* dangerous is having . before system directories, especially
> on multi-user machines.
> In this scenario, user A, who has . in the path before /bin, goes in a
> directory of user B and does an 'ls'.
> That directory contains an executable called ls that is smart enough
> to hide itself. But bastard enough to do something nasty, a Trojan
> horse. And user A just brought it within the walls...
While putting . _anywhere_ in PATH would be stupid, there is a more
insidious trap for the unaware, namely mistaking : for a delimiter
instead of a separator.
An extra colon (anywhere) will yield a null entry.
A null entry in PATH is treated as the current directory.
Examples: foo:bar: foo::bar :foo:bar and obviously :foo:bar: