I just discovered that root's PATH on CentOS does not include /usr/local/bin.
What's the rationale for this? I'm tempted to add it to the PATH but I don't know what vulnerabilities that might introduce.
Asked
Active
Viewed 2,687 times
3
spraff
- 305
- 2
- 9
1 Answers
3
There is a discussion here https://bugs.centos.org/view.php?id=5707 indicating inconsistent behavior. It's there via sudo but not there with a direct root login. That's according to the bug report, which is specific to centOS 6.
More to the point, you're vulnerable if there is danger of bad stuff being installed at /usr/local/bin. By forcing yourself to use the full path ( /usr/local/bin/whatever ) you don't have any risk of accidentally invoking bad stuff via $PATH.
Of course that's true for anything performed with elevated privilege. Keep your path variable limited and you reduce your risk of tripping over an intruder's trap.
Edward Barnard
- 672
- 6
- 17
-
But if something can be installed to /usr/local/bin can't it also be installed to /usr/bin? – spraff Sep 16 '16 at 22:56
-
Yes indeed, someone able to install to /usr/local/bin could probably install to /usr/bin. However, /usr/bin should contain things which came with the CentOS release, whereas /usr/local/bin would contain things which you (or your site) have installed after-the-fact. It's the latter which would carry the higher risk. So, on the one hand, /usr/local/bin might carry higher risk because it contains software outside the standard distribution. On the other hand a bad person could install either place, given the elevated privilege. – Edward Barnard Sep 17 '16 at 12:11