Security and $PATH
E.MANTEL
3723edm at houxq.UUCP
Sun Jul 31 05:45:17 AEST 1983
On the UNIX systems I am familiar with (running USG 5.0), the PATH variable is
set, both in /etc/profile and in login, to begin with a ':', meaning that the
current directory is the first directory to be searched.
It seems to me that this is a significant security hole, because it means that
a user can set a booby trap by writing a shell that has the same name as a
common command, but does something significantly different.
Is it a common practice to have the default PATH begin with a ':'?
Is there a real good reason to make this the default?
Eli Mantel, houxq!3723edm, ABI ED&D Holmdel
More information about the Comp.unix.wizards
mailing list