[Bug 684393] Re: $PATH discrepency when ~/bin exists

Adrian Wilkins 684393 at bugs.launchpad.net
Thu Apr 5 15:15:24 UTC 2018 

> does NOT improve security at all

Reason why it does : all the other paths in PATH by default are root-
writeable only. If a personal ~/bin folder is at the front by default,
all it takes is for someone to exploit you is to e.g. get you to unpack
an archive in your HOME that has

a) the files you wanted and

also b) a ./bin folder containing a `cd` program, for example

Installing a persistent override of common system commands only requires
user-level access with your ~/bin at the front of PATH.

Yes, you still only need user-level access to add a line to someone's
bash profiles to add ~/bin (or any other folder) to the start of PATH.
But it's one more little thing to overcome. It might be the difference
between you getting pwned or not. Adding a line to the bash profile
elevates the difficulty from just tricking a user into plonking files on
the filesystem to editing them.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/684393

Title:
  $PATH discrepency when ~/bin exists

Status in bash package in Ubuntu:
  Incomplete
Status in bash package in Debian:
  New

Bug description:
  Binary package hint: bash

  Hi,

  From the thread here: http://ubuntuforums.org/showthread.php?t=1634980

  If you have a bin folder in yer home directory, it adds it to the
  path.

  It currently adds ~/bin to the start of $PATH, which has been brought
  up as a bit of a security issue. It should add that path to the end of
  the $PATH variable, not the beginning.

  See the thread for a fix.

  Thanks.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.04
  Package: bash 4.1-2ubuntu3
  ProcVersionSignature: Ubuntu 2.6.32-26.48-generic 2.6.32.24+drm33.11
  Uname: Linux 2.6.32-26-generic i686
  Architecture: i386
  Date: Thu Dec  2 11:29:24 2010
  InstallationMedia: Ubuntu 10.04.1 LTS "Lucid Lynx" - Release i386 (20100816.1)
  ProcEnviron:
   LANGUAGE=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: bash

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/684393/+subscriptions

More information about the foundations-bugs mailing list