On 04/05/18 09:50, Jonathan Wakely wrote:
On 03/05/18 12:23 -0400, R P Herrold wrote:
By convention additions to the path come LAST in priority,
because of well known privilege escalation attack approaches
(the incautious admin sits down at a 'trapped' nominally sick
workstation, and fails to use a fully qualified path to 'su'
or 'sudo' , or omits to add the '-' to cause PATH cleansing).

Either the admin does one of those things, or they're screwed anyway
because a user (or attacker with access to the user's account) who
wants to escalate their privileges can edit the user's PATH.  The user
can always do that, whether Fedora puts ~/.local/bin early in the PATH
by default or not.

I don't think I like the idea of putting it early in the PATH by
default, but I don't have a solid argument for why I don't like it.

You're probably  in the same boat as me which is you've been brought up putting things like that late. Looking at the various unixy accounts I have only one that has any mention of ~/.login/bin in $PATH and they put it late, all of them have ~/bin or some version of that last. I suspect that there's a whole mishmash of positioning of stuff like this and various sites/people/applications are going to have their own opinions on what should go where.

None of the "security" arguments presented are convincing though.
No, you're probably right, although I'm not entirely convinced that "it has to be first because otherwise app X will break" is a convincing argument either. A convention either way is sensible, changing conventions will cause pain, but I suspect that horse has left the building.

devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to