Security and $PATH
John Nelson
john at genrad.UUCP
Mon Aug 8 01:28:55 AEST 1983
I really don't understand what all the hoopla is about! An
unsophisticated user who never cd's to someone else's
directory tree wishes to have the current directory searched
FIRST for commands (so that his commands will override the
system command names.) Anyone who is somewhat sophisticated
will know about existing command names, and will generally
avoid naming his own programs with a conflicting name! To
avoid someone else renaming a standard command (or even to
protect himself from accidently doing something as disasterous
as the "du" delete user syndrome) all he has to do is put the
"." directory LAST in his path! No one should ever have to
type a command as ./command, even as a security measure,
unless someone has stupidly named a program the same as a
standard program!
As for programs with standard names that create set-uid
programs, if your current directory belongs to someone else,
then the burden of being careful us up to YOU! If you execute
programs on someone else's directory, you get what you
deserve!
More information about the Comp.unix.wizards
mailing list