Bruno Haible <[EMAIL PROTECTED]> wrote: > Jim Meyering wrote: >> If security isn't enough of an argument, you can consider this yet another >> reason not to put "." early in your PATH. Please consider removing >> "." from your PATH altogether. Yes, that does make for some small amount >> of extra typing (you have to prefix certain commands with "./"), but >> that is a small price to pay for the reduced risk of mishap. >> [Sorry to harp on this again, but I wouldn't want readers to get the >> impression that it's ok to have "." *anywhere* in PATH, much less >> near the beginning. ] > > The only security argument I've seen so far against "." in PATH is that > every user, at some point in time, does things like > $ cd /tmp > $ ls -l > and another user on the same machine may have stored a malicious program > at /tmp/ls. > > A similar argument holds for group-writable directories on machines where > you don't trust all users of the same group. > > But when you are on a LAN where you trust all users, or on a firewalled > machine where you are the only user and even your own sysadmin, I see no > point in reducing the PATH. - If you trust everyone in your house, and have > a lock at the door of your house, would you also lock your bedroom's door > at night?
Habits are habits. If I acquire habits that are safe only in a few protected environments, what's to prevent that often-safe behavior from leaking into an environment where it's no longer safe? I prefer to maintain safe habits. Besides, I recognize that no system is immune from risk. I.e., a bug in my browser may allow malicious code to create that /tmp/ls file you mentioned. _______________________________________________ Bug-coreutils mailing list Bug-coreutils@gnu.org http://lists.gnu.org/mailman/listinfo/bug-coreutils
