[php-maint] Bug#758185: Bug#758185: Bug#758185: php5-common: installation fails with . in $PATH
Lior Kaplan
kaplan at debian.org
Fri Aug 15 13:19:29 UTC 2014
On Fri, Aug 15, 2014 at 1:39 PM, Zlatko Calusic <zcalusic at bitsync.net>
wrote:
> On 15.08.2014 10:57, Ondřej Surý wrote:
>
>> Hi Zlatko,
>>
>> I will fix that in git, but having "." in $PATH (especially for root
>> user)
>> is a very bad bad practice and really should be avoided due security
>> reasons.
>>
>>
> No, it's not. It's a bad practice ONLY if some requirements are met, which
> has not been the case here, for a long time.
>
>
> Imagine someone dropping a malware binary in /tmp ...
>>
>
> That someone already has a root password, so it's easier for him to use it
> than to drop malware and wait for me to step on it. ;)
>
> The point being of course, dot in the PATH is dangerous ONLY if you are on
> a multiuser machine where there are people with shell access who you can't
> trust. I haven't seen such machine in decades, and of course I'll remember
> to remove the all-dangerous dot from the PATH then. In the meantime, my
> boxes are so much friendlier with the dot included. :)
>
Shared hosting machines? (without visualization)
We need the default setting to be secured for all users. If someone wants
to make his setting more friendly - he's welcome, but not the default. The
fact the you haven't seen such a settings doesn't tell us much of our
users' machines.
We shouldn't fail the installation because of that, but the warning should
probably still appear.
Kaplan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20140815/814c85f1/attachment.html>
More information about the pkg-php-maint
mailing list