Quote:
Originally Posted by
sudon't
Ok, I kinda get that it might be about having executables in permissions protected directories, but if all you need to do is use the absolute pathname, it doesn't seem like much security.
In fact it is: directories where (system) binaries are stored, like "/usr/bin", are writable only for root (and probably for a very select group of other system users). This means that only root can change the contents of the directory. As normal work never happens under root (at least this should be so) normal users and their processes can only use what is in there and not modify it.
Suppose the following: you use "/usr/bin/ls" by typing just "ls" because your PATH contains "/usr/bin". Now i write a program which erases everything in your HOME directory. I couldn't run that program, because the system would not let me. Therefore i place it somewhere and name it "ls". Because you have "." in your path once you enter the directory where this program file is and type "ls",
this is executed instead of "/usr/bin/ls" and now
you are requesting your HOME directory to be deleted - what the program now is allowed, because it runs under your ID. Mission accomplished.
In fact this makes for an awful lot of security if you do not use root for your daily work, just for system administration purposes) and do your normal work (like surfing the web, etc.) only under your user-ID.
Quote:
Originally Posted by
sudon't
If I ever write something useful, I'll stick it in /usr/local/bin
This is a good idea and very very close to what the expert way is. An even better idea would be to: make
/usr/local/bin writable only by root. Put in there only things you want to use with
all the users on the system. Create a directory
$HOME/bin, which will be writable only by you. Put all the scripts which are only for your use there. This is the
most canonical way of doing this. Don't forget Unix is truly a multi-user system (unlike Windoze, which is implicitly single-user, even in modern versions. The multi-user-feature is obviously "tinkered on second thoughts".) and you should separate things needed only by you and things needed for everyone on the system - even if it is your own system and nobody else will ever use it.
I hope this helps.
bakunin