Subject: Re: Installing local packages and NetBSD guide
To: None <netbsd-users@NetBSD.org>
From: Magnus Eriksson <firstname.lastname@example.org>
Date: 09/28/2007 14:08:56
On Fri, 28 Sep 2007, John Nemeth wrote:
> } > (/usr/local/* is still retained in various default PATHs, for convenience)
> } Smells like potential security problems to me, if it still is the case.
> What security problem? If the administrator doesn't put anything
> there, then nothing will be found. If the administrator does put
> something there, then presumably they intend it to be used.
Having a suid root program exploited to create the directory, or change
the permissions of it -- *that* security problem.
I don't know exactly in which "various default PATHs" /usr/local is
referenced; and what or who might be convinced to run a "custom" binary or
read a custom config file, but it doesn't seem harmless.