best way to ensure './' is at beginning of sys.path?

Mon Feb 6 01:11:52 EST 2017

On Mon, 06 Feb 2017 09:07:34 +1100, Steve D'Aprano wrote:

> On Sun, 5 Feb 2017 07:01 pm, Wildman wrote:
> 
>> Sure, you
>> could trick someone into running a program that could
>> mess with $HOME but that is all.  For anyone, like me,
>> that makes regular backups, that is not a big problem.
>> To do any real damage to the system or install a key
>> logger or some other malicious software, root access
>> would be required.
> 
> The complacency of Linux users (and I include myself here) is frightening.

No comment. :-)

> Why do you value the OS more than your own personal files? In the worst
> case, you could re-install the OS is a couple of hours effort. Losing your
> personal files, your home directory and email, could be irreplaceable.

I wold not say I value the OS more.  It is that anything I
have that I consider important does not stay in $HOME very
long without being backed up or moved to an external drive.

> You're also ignoring the possibility of privilege-escalation attacks.

The odds of that happening is very low.  You should know that.
There are very few actual exploits in the wild.  Whenever one
is discovered, it is fixed quickly.  You would be hard pressed
to find more than a few examples of where a vulnerability was
actually exploited.

> As far as "regular backups", well, you're just not thinking deviously
> enough. If I were to write a ransomware application, running as the regular
> user, I would have the application encrypt files and emails just a few at a
> time, over a period of many weeks, gradually increasing the rate. By the
> time the victim has realised that their files have been encrypted, their
> backups have been compromised too: you can restore from backup, but you'll
> be restoring the encrypted version.
> 
> Obviously this requires tuning. How many files will people be willing to
> just write-off as lost rather than pay the ransom? How quickly do you
> accelerate the process of encrypting files to maximize the number of people
> who will pay?

I should explain a few things that will make my position
clearer.  First of all, I am not advocating for anyone to
change their computing practices.  If you are comfortable
with your methods, who am I to tell you different?

I am an amateur programmer and therefore I do not make a
living writing code.  If I suddenly lost all my code, it
would not be the end of the world for me.  I would have
enjoyment writing it again.  Because of this I am not
very paranoid when it come to my computer data, although
I do practice safe surfing when it comes to the internet.
Scripting and Java stays off unless it is needed by a
'known' site.  Also, I never click unknown links without
doing a little sniffing first.

And last I would like to say that I admit some of the
scenarios you and others have laid out could happen,
but, in my circumstance, it is very unlikely.  One
would have a hard time placing a program on my computer
and running it without me knowing about it.  No, that
is not a challenge. :-)

-- 
<Wildman> GNU/Linux user #557453
The cow died so I don't need your bull!