Le decadi 30 prairial, an CCXXV, David Bunch a écrit : > This could be a potential security vulnerability because if the user account > of a uesr with 'su' power, an attacker could place a malicious 'su', 'ls', > and 'which' in their ~/bin directory which could give an attacker the root > password when the user runs the 'su' command.
If the attacker is able to write in ~/bin, then they are also able to write in ~/.profile and add anything they want there. Therefore, the change you suggest does absolutely nothing for security. > A safer configuration would be PATH=$PATH:'$HOME/bin'. If a user installs a program in their home that is already available on the system, it probably means they want to use their version rather than the system's. The same goes for programs installed by the admin versus programs installed by the distribution. Hence, the correct order is really ~/bin, /usr/local/bin then /usr/bin and not the other way around. Regards, -- Nicolas George
signature.asc
Description: Digital signature
