Why putting ~/bin or . in your $PATH is not a bad idea:
- Nobody, at least without a specific reason to, puts ~/bin (or .) at the beginning of their $PATH. They put it at the end. This means, the only way you can type 'su' and execute ~/bin/su is if su does not exist anywhere else in your path. In other words, all that is required for someone to gain your root password is for him to already have root access (so he can remove the su executable from your system). No added risk here.
- If a cracker/etc. has access to ~/bin, they have access to ~/.bashrc, so they can add it to your path anyway. Of course, they still have to deal with point #1 above. Again, no added risk here.
- Since said cracker has access to ~/.bashrc, he can add an alias to su (which will actually execute if you type it, even if there is an su in your $PATH). Here is the real risk. If he has access to your config files, he can alias whatever he wants to, and he doesn't need to bother with $PATH at all.
A note on "."
After an extended discussion with lj, I'm forced to concede that there is a situation in which having "." in your $PATH could be exploited by a malicious user. This involves (1) that the malicious user knows you have "." in your path, (2) that you are mucking around in that user's home directory, or /tmp, or somewhere else where that user has write permission, (3) that you mistype some common command (say you type "sl" instead of "ls," and (4) that the malicous user has guessed beforehand which command you would mistype and installed an executable in that directory named for that typo. If you did so, and he did so, he would be able to do anything your account has permission to do (including, if you're root, taking control of your system—unless, of course, you notice the typo or the executable file called "sl," in which case you'd repair your system, lock the account, and call the FBI...).
Is this scenario likely? No. I'd venture to say it's quite unlikely that it has happened, ever, in the history of computing. But it is possible.
Is this danger enough to offset the benefits of having "." in your $PATH? Well, I don't personally see the benefits of "." (I like the separation of commands, in my mind, from "current directory" scripts—configure, autoinstallers, etc.). As root, well, it's a good idea to keep your $PATH simple. "." has no place in it, or "~/bin" for that matter (if root wants to add a binary to his system, he can just put it in /usr/bin or /usr/local/bin. If he wants it only available to super users, he can add it to one of the "sbin" directories. "~/bin" is a workaround for those users who don't have write access to these directories). As a normal user, I'd say it's a toss-up. The likelihood of exploit is about at the level of a cracker guessing your random alphanumeric 8-character password. If you find "." useful, use it.