On Thu, 28 Jul 2011 11:24:48 +0100 "Bryn M. Reeves" <b...@redhat.com> wrote:
> On 07/27/2011 03:14 PM, Bernd Stramm wrote: > > On Wed, 27 Jul 2011 15:54:09 +0200 > > Lennart Poettering <mzerq...@0pointer.de> wrote: > >> If you don't hide ~/.local and ~/.config then users who are less > >> savvy than us might wonder what thzat stuff is and delete it and > >> nothing will stop them and then all their configuration is lost. > > > > Hiding configuration is one thing, hiding executables is another. > > Hiding executables is a security risk, and should not be done just > > because a single person asked for it in a BZ. > > There are already quite a few things that may place executables > under . prefixed paths in home. Java web start (javaws) for instance > will install an entire jre under .java/deployment/cache, wine has for > many years installed Windows executables (that can be executed by the > system) under .wine, browser plugins may be installed > to .mozilla/plugins and are just as capable of performing "evil" > actions as an executable (e.g. drop a malicious plugin that hijacks > some common MIME types, do your $evil and then wrap the intended > plugin). > > There are various other examples - on an older release I find 171 > such files under ~/: > > $ find $(l. | egrep -v '\.$|\.\.$') -type f -perm /111 | wc -l > 171 This is no excuse to add to a bad habit. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
