[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-stow] Installing without root privileges in /usr/local
|
From: |
Adam Spiers |
|
Subject: |
Re: [Help-stow] Installing without root privileges in /usr/local |
|
Date: |
Thu, 8 Mar 2012 11:45:18 +0000 |
On Thu, Mar 8, 2012 at 2:01 AM, enclair <address@hidden> wrote:
> Le 6 mars 2012 23:49, Adam Spiers <address@hidden> a écrit :
>>
>> That should work fine, as per
>>
>>
>>
>> http://www.gnu.org/software/stow/manual/html_node/Compile_002dtime-vs-Install_002dtime.html#Compile_002dtime-vs-Install_002dtime
>
> I don't understand this part.
What don't you understand exactly?
>> although you should be aware that this potentially reduces the
>>
>> security of the whole system to that of the user with access to
>> /usr/local/stow. If that user's account was compromised, and there
>> was an existing symlink from /usr/local/bin/foo to
>> /usr/local/stow/package/bin/foo, then the intruder would only need to
>> replace the latter with a trojaned version and wait for it to be run
>> in order to gain root access.
>
> You mean "and wait for it to be run as root user" don't you?
Correct.
> For a system with only one user, the security should be the same than
> installing in $HOME/local, shouldn't it?
If it was installed in $HOME/local, there would be no likely path for
privilege escalation, since when logged in as root, the user would (or
at least should) not have $HOME/local/bin in their $PATH, and so would
not be likely to run a trojaned executable from that directory.