[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: kdesu overrides user's PATH with hardcoded path
From:       Anders =?iso-8859-1?q?L=F6vgren?= <lespaul () algonet ! se>
Date:       2008-09-04 0:52:43
Message-ID: 200809040252.45026.lespaul () algonet ! se
[Download RAW message or body]

On Monday 01 September 2008 07.29.37 Oswald Buddenhagen wrote:
> On Sun, Aug 31, 2008 at 07:02:52PM -0400, Guillaume Pothier wrote:
> > [attribution missing]
> >
> > > this argument is nonsense. why would /usr/bin be less vulnerable than
> > > /usr/local/bin? there is no probability involved here. attacker can
> > > modify anything in your $PATH => you lose. period.
> >
> > I think the case is more about something the user downloads somewhere
> > into his home directory (which she can do without needing any
> > privileges) than something between /usr and /usr/local.
>
> this makes no sense, either. if a user can be tricked into downloading
> something evil into his ~/bin and making it executable, then all odds
> are off anyway. in that scenario, "protecting" $PATH would be like
> removing /bin/rm for security reasons.

The modified $PATH will at least protect against e.g. running a bad ~/bin/cat 
from a program or script that happens to use whatever cat that comes first in 
the $PATH.

// Anders
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]