[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-stow] Installing without root privileges in /usr/local

From: Adam Spiers
Subject: Re: [Help-stow] Installing without root privileges in /usr/local
Date: Thu, 8 Mar 2012 11:45:18 +0000

On Thu, Mar 8, 2012 at 2:01 AM, enclair <address@hidden> wrote:
> Le 6 mars 2012 23:49, Adam Spiers <address@hidden> a écrit :
>> That should work fine, as per
> I don't understand this part.

What don't you understand exactly?

>> although you should be aware that this potentially reduces the
>> security of the whole system to that of the user with access to
>> /usr/local/stow.  If that user's account was compromised, and there
>> was an existing symlink from /usr/local/bin/foo to
>> /usr/local/stow/package/bin/foo, then the intruder would only need to
>> replace the latter with a trojaned version and wait for it to be run
>> in order to gain root access.
> You mean "and wait for it to be run as root user" don't you?


> For a system with only one user, the security should be the same than
> installing in $HOME/local, shouldn't it?

If it was installed in $HOME/local, there would be no likely path for
privilege escalation, since when logged in as root, the user would (or
at least should) not have $HOME/local/bin in their $PATH, and so would
not be likely to run a trojaned executable from that directory.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]