best way to ensure './' is at beginning of sys.path?

[Steve D'Aprano]

On Sun, 5 Feb 2017 07:01 pm, Wildman wrote:

> Sure, you
> could trick someone into running a program that could
> mess with $HOME but that is all.  For anyone, like me,
> that makes regular backups, that is not a big problem.
> To do any real damage to the system or install a key
> logger or some other malicious software, root access
> would be required.

The complacency of Linux users (and I include myself here) is frightening.

Why do you value the OS more than your own personal files? In the worst
case, you could re-install the OS is a couple of hours effort. Losing your
personal files, your home directory and email, could be irreplaceable.

You're also ignoring the possibility of privilege-escalation attacks.

As far as "regular backups", well, you're just not thinking deviously
enough. If I were to write a ransomware application, running as the regular
user, I would have the application encrypt files and emails just a few at a
time, over a period of many weeks, gradually increasing the rate. By the
time the victim has realised that their files have been encrypted, their
backups have been compromised too: you can restore from backup, but you'll
be restoring the encrypted version.

Obviously this requires tuning. How many files will people be willing to
just write-off as lost rather than pay the ransom? How quickly do you
accelerate the process of encrypting files to maximize the number of people
who will pay?




-- 
Steve
“Cheer up,” they said, “things could be worse.” So I cheered up, and sure
enough, things got worse.