On Wed, 2004-02-18 at 16:05, Julian Leyh wrote:
> On Wed, 18 Feb 2004 01:54:38 +0100
> Marc Bevand <bevand_m@epita.fr> wrote:
>
> > I also think '.' should be remove from the PATH. Example:
> > - imagine an evil hacker places a binary (trojan...) called 'sl'
> > in /tmp
> > - if '.' is in the default PATH, the hacker would just have
> > to wait long enough so that a user (whose cwd happens to be
> > /tmp) mistypes 'sl' (instead of 'ls') so that it executes the
> > trojan
>
> ln -s /bin/ls /bin/sl
>
> do that for the common type errors and your system is more secure
>
> cu
> JRL

I think we need to thank the person who brought this up. "Thanks for
caring, and thanks for submitting a patch, which is more than most
people do. Please continue to view the system with a critical eye."
Theo reviewed the patch, and declined. Theo seems to have good
instincts when it comes to security. Good enough.