On Fri, Aug 15, 2014 at 1:39 PM, Zlatko Calusic <zcalu...@bitsync.net> wrote:
> On 15.08.2014 10:57, Ondřej Surý wrote: > >> Hi Zlatko, >> >> I will fix that in git, but having "." in $PATH (especially for root >> user) >> is a very bad bad practice and really should be avoided due security >> reasons. >> >> > No, it's not. It's a bad practice ONLY if some requirements are met, which > has not been the case here, for a long time. > > > Imagine someone dropping a malware binary in /tmp ... >> > > That someone already has a root password, so it's easier for him to use it > than to drop malware and wait for me to step on it. ;) > > The point being of course, dot in the PATH is dangerous ONLY if you are on > a multiuser machine where there are people with shell access who you can't > trust. I haven't seen such machine in decades, and of course I'll remember > to remove the all-dangerous dot from the PATH then. In the meantime, my > boxes are so much friendlier with the dot included. :) > Shared hosting machines? (without visualization) We need the default setting to be secured for all users. If someone wants to make his setting more friendly - he's welcome, but not the default. The fact the you haven't seen such a settings doesn't tell us much of our users' machines. We shouldn't fail the installation because of that, but the warning should probably still appear. Kaplan
