I just discovered that root
's PATH
on CentOS does not include /usr/local/bin
.
What's the rationale for this? I'm tempted to add it to the PATH
but I don't know what vulnerabilities that might introduce.
I just discovered that root
's PATH
on CentOS does not include /usr/local/bin
.
What's the rationale for this? I'm tempted to add it to the PATH
but I don't know what vulnerabilities that might introduce.
There is a discussion here https://bugs.centos.org/view.php?id=5707 indicating inconsistent behavior. It's there via sudo but not there with a direct root login. That's according to the bug report, which is specific to centOS 6.
More to the point, you're vulnerable if there is danger of bad stuff being installed at /usr/local/bin. By forcing yourself to use the full path ( /usr/local/bin/whatever ) you don't have any risk of accidentally invoking bad stuff via $PATH.
Of course that's true for anything performed with elevated privilege. Keep your path variable limited and you reduce your risk of tripping over an intruder's trap.