*BSD News Article 32454

Return to BSD News archive 

Newsgroups: comp.os.386bsd.questions
Path: sserve!newshost.anu.edu.au!munnari.oz.au!bunyip.cc.uq.oz.au!harbinger.cc.monash.edu.au!msuinfo!agate!howland.reston.ans.net!pipex!uknet!cf-cm!isl-gate.elsy.cf.ac.uk!paul
From: paul@isl-gate.elsy.cf.ac.uk (Paul)
Subject: Re: FreeBSD: executables in working dir
Message-ID: <1994Jul6.160332.6984@cm.cf.ac.uk>
Sender: paul@isl-gate.elsy.cf.ac.uk (Paul)
Organization: ELSYM, University of Wales, College of Cardiff, UK.
References: <2v9of3$46t@ohlone.kn.PacBell.COM> <JKH.94Jul4210444@whisker.hubbard.ie> <2valvp$egd@Mercury.mcs.com> <2vc9g6$11q@keltia.frmug.fr.net>
Date: Wed, 6 Jul 1994 16:03:30 +0000
Lines: 36

In article <2vc9g6$11q@keltia.frmug.fr.net>,
Ollivier Robert <roberto@hsc.fr.net> wrote:
>In article <2valvp$egd@Mercury.mcs.com>, Daniel Leeds <dleeds@MCS.COM> wrote:
>>Jordan Hubbard (jkh@whisker.hubbard.ie) wrote:
>>: Sounds like you don't have `.' in your $PATH!
>>
>>Heh, but don't add it!  Security no no there.  It adds the posibility of 
>>trojans(no, not the condoms) etc...  Use ./(file) to run it from the 
>>directory.  
>
>Better, if  you want the  possibility of running  in-place-binaries and not
>the security hole of  putting "." at the  beginning of the PATH  (like many
>DOSsers generally do to get the same behaviour as DOS),  just put it at the
>END of the PATH.
>
>You can use TCSH, last is 6.05 (great) which does  it automatically but can
>be disabled at compile time.

That's not necessarily any safer. root shouldn't have . in its path
at all, it's just too risky since you can inadvertently pick up a
binary from the current directory and run it with root privs, can be very
lasty.

e.g. an often mistyped command ls -l as ls-l, if someone maliciously
sticks a file ls-l in their home directory which does a cd /;rm
-fr * and you happen to be in their directory when you mistype then
bye-bye system. Having . last won't save you there. NEVER put . in
root's path unles you like living dangerously.

As normal users it's different, I tend to have . last in that case because
it's more convenient and not so risky.

-- 
  Paul Richards, FreeBSD core team member.
  Intelligent Systems Laboratory, ELSYM ,University of Wales, College Cardiff
  Internet: paul@isl.cf.ac.uk,  JANET(UK): RICHARDSDP@CARDIFF.AC.UK