[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: kdesu overrides user's PATH with hardcoded path
From:       Oswald Buddenhagen <ossi () kde ! org>
Date:       2008-09-01 5:29:37
Message-ID: 20080901052937.GA23041 () ugly ! local
[Download RAW message or body]

On Sun, Aug 31, 2008 at 07:02:52PM -0400, Guillaume Pothier wrote:
> [attribution missing]
> > this argument is nonsense. why would /usr/bin be less vulnerable than
> > /usr/local/bin? there is no probability involved here. attacker can
> > modify anything in your $PATH => you lose. period.
> 
> I think the case is more about something the user downloads somewhere
> into his home directory (which she can do without needing any
> privileges) than something between /usr and /usr/local.
> 
this makes no sense, either. if a user can be tricked into downloading
something evil into his ~/bin and making it executable, then all odds
are off anyway. in that scenario, "protecting" $PATH would be like
removing /bin/rm for security reasons.

-- 
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
--
Confusion, chaos, panic - my work here is done.
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]