On 17 Feb 2004, eric wrote:
| On Tue, 2004-02-17 at 18:09:38 -0500, James Larkby-Lahet proclaimed...
|
| > This is not a security issue, if that what you are thinking, because
| > the paths are searched in order. all the normal binary directories are
| > listed first, so no one can slip you a trojaned 'ls' or whatever in the
| > current directory. Completely removing '.' from your path is an
| > overkill solution. and annoying :-)
|
| Paranoid, yes. Annoying? I'd beg to differ. I've seen several
| sysadmin's accidentally screw up the order and put "." further up
| the PATH chain. How about adding just a little commented mark
| educating users to leave it at the end?
|
| I'll quit beating a dead horse now either way. Just wasn't sure if
| it was something overlooked

I also think '.' should be remove from the PATH. Example:
- imagine an evil hacker places a binary (trojan...) called 'sl'
in /tmp
- if '.' is in the default PATH, the hacker would just have
to wait long enough so that a user (whose cwd happens to be
/tmp) mistypes 'sl' (instead of 'ls') so that it executes the
trojan
This simple attack is really used by the bad guys and works very well
on massively multiuser systems.

--
Marc Bevand http://www.epita.fr/~bevand_m
Computer Science School EPITA - System, Network and Security Dept.