$PATH discrepency when ~/bin exists

patch attached

Thank you for your bug report. This bug has been reported to Debian Maintainers. You can track it and make comments at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606369

   Hi!

 Actually I fail to see the security impact of this. If a user creates
the bin directory themself and put stuff in there themself then it's on
their own intention, not? I really fail to see the security part of the
issue. Actually it makes sense to have ~/bin first in PATH to be able to
override system tools intentionally.

 I highly doubt that this will be changed on dubious reasoning and
actually wonder why it was forwarded to Debian.

 To be honest, if a malicious person is able to put an ls program into
~/bin of a user they are also able to change their ~/.profile and put
~/bin first in PATH again, so it gets no additional security, at all.

 Thanks,
Rhonda

If someone was able to access the box, create ~/bin and then drop a malicious script in there, then what would stop them from editing files that the user owns? Nothing.

It seems it's something specific to Debian, as a CentOS 5.5 box I have doesn't have anything like that in .bashrc.

I can understand the convenience factor, if you place a different executable there, since it's first in $PATH, but if you are doing that, why not just edit $PATH manually?

Actually, scratch it, on CentOS 5.5, it's in ~/.bash_profile

However, it adds the personal path to the end of the list:

PATH=$PATH:$HOME/bin

I strongly oppose the bug request, by the same reasons pointed out by Rhonda:

- It does NOT improve security at all, a malicious user could revert the changes or do worse.

- It would prevent intentional overriding of tools.

By the same reason /usr/local/bin comes before /usr/bin, ~/bin should come first.

User tools should override local tools, which in turn override system tools.

Putting ~/bin at the end of the path increases security. That is enough to end the argument.

If the user wants to override system tools, then they can just as easily rearrange their path to have ~/bin at the beginning. In fact, that's congruence: a user savvy enough to install their own tools to ~/bin _and_ want them to override system tools is likely savvy enough to edit their path. A user who isn't savvy isn't going to be able to figure out why "cd <anywhere>" always takes them to /you-got-punked.

Default to more security, not less.

The amount of security gained is irrelevant as there is no cost to doing it right.

The fallacy of "I can't imagine a scenario where ~/bin at the start of the path is a bigger security issue than if it's at the end of the path" is the same fallacy as "I can't break this encryption algorithm I wrote, therefore it's unbreakable."

Ubuntu 14.04 is also broken in that, after ~/bin is created, the user has to a) re-source .profile, or b) logout and login. Ubuntu 16.04 has at least fixed that, despite having the same security issue.

> does NOT improve security at all

Reason why it does : all the other paths in PATH by default are root-writeable only. If a personal ~/bin folder is at the front by default, all it takes is for someone to exploit you is to e.g. get you to unpack an archive in your HOME that has

a) the files you wanted and

also b) a ./bin folder containing a `cd` program, for example

Installing a persistent override of common system commands only requires user-level access with your ~/bin at the front of PATH.

Yes, you still only need user-level access to add a line to someone's bash profiles to add ~/bin (or any other folder) to the start of PATH. But it's one more little thing to overcome. It might be the difference between you getting pwned or not. Adding a line to the bash profile elevates the difficulty from just tricking a user into plonking files on the filesystem to editing them.