On Nov 1, 2007, at 3:16 PM, Douglas A. Tutty wrote:
On Thu, Nov 01, 2007 at 10:28:55AM -0500, John Hasler wrote:
Doug writes:
It would only be a security issue if the permissions on your home
directory and/or the execs themselves allowed others to execute
them.
A buggy application (buffer overflow in Firefox...) or an evil bit of
JavaScript could be used by a "virus" to install a trojan in $HOME/
bin.
If Iceweasel is such a security risk, perhaps I should create a
separate
user under which to use it. What all can a buggy Iceweasel allow?
Yeah, if we're talking about an application security hole of that
kind, it doesn't matter if you have ~/bin in your path or not. The
exploit can just add "export PATH=~/bin:$PATH" to your .bashrc
itself, or call whatever trojan it's created directly!
Having . (single dot) in your PATH is a much more realistic threat,
if you ever cd into a directory controlled by another user. I don't
see that one too much, although every so often someone who's used to
MS-DOS will think it's a clever idea.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
