On Thu, May 04, 2017 at 09:54:07AM -0500, Eduardo Bustamante wrote: > Also, I think it's a bit of a stretch to call this a security problem. > The scenario you describe (a user having a directory literally named > `~' with a bin subdirectory, a malicious program creating evil > binaries in $HOME/bin, the user having a misconfigured PATH, ...) is > highly unlikely.
Without taking a side on whether this is a security bug in bash, I will support the idea that users who put ~/bin (or similar) in PATH should be educated to make sure the ~ is expanded, rather than literal. This will protect them even if bash gets patched, because most of them will still be using an older/unpatched version. I will also point out that bash expands ~ in PATH assignments such as PATH=~/bin:$PATH or even PATH=$PATH:~/bin:/other/bin. So, it really does take a bit of work to get a literal ~ into PATH in bash, and users should be discouraged from doing that extra, self-harming work.
