Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!news-peer.sprintlink.net!news.sprintlink.net!sprint!uunet!in2.uu.net!128.138.240.25!boulder!rintintin.Colorado.EDU!fcrary
From: fcrary@rintintin.Colorado.EDU (Frank Crary)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Help with a.out
Date: 21 Apr 1997 03:23:49 GMT
Organization: University of Colorado, Boulder
Lines: 58
Message-ID: <5jemk5$kdn@lace.colorado.edu>
References: <3355973C.429F@charlotte.infi.net> <5jdd6t$ndu@lace.colorado.edu> <86g1wlk6nx.fsf@pro200.farmer.org>
NNTP-Posting-Host: rintintin.colorado.edu
NNTP-Posting-User: fcrary
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:39421
In article <86g1wlk6nx.fsf@pro200.farmer.org>,
Steven L. Farmer <slfarmer@swbell.net> wrote:
>> I hit the same problem. Unix looks for executables in the directories
>> defined by the $PATH environment variable, and for some reason the
>> current directory is not part of the default $PATH in FreeBSD (or
>> at least not as of 2.1.5). You can fix that by editing your .cshrc file.
>> Originally, mine had a line reading
>> set path = ( [usual paths])
>> by changing that to
>> set path = (. [usual paths])
> This is generally regarded to be a Bad Thing, since it opens the
>(barn?) door to Trojan Horses.
Good point. In my case, I have no network connections unless I run
the user prompt ppp command, so this isn't a problem. But I need to
remember to change things when I (eventually) set up better connections.
(And not to suggest this to other people without mentioning the
security problem...) However, I find that a large number of Unix
machines, in particular those at research institutions, but the
dot in the default PATH variable. This seems like a very bad idea,
and someone should yell at their system administrators...
>...If you *must* add dot to your path, adding it to the start
>is the worst possible choice. Add it to the end instead, or at least
>following all of the normal "system" directories.
That's also a good point, but I think the advantages are subtle
enough that they should be stated in more detail. The advantage, as
I understand it, is that all the other directories would be checked
first, and if the name was found, the machine would run the real
program, not the Trojan Horse in the current directory. That would
make it harder to hide a Trojan Horse. E.g. if someone put one
in my home directory, called it "elm" and ran it, with a dot at the
beginning of my PATH variable, it would show up on "ps", "top", etc.
as fcrary running elm. Someone seeing that would think, "Frank's
checking his mail" or, if the process had been running for a long
time, "Frank forgot to quit after checking his mail." If the dot
were at the end of my PATH, the system would find the real elm
first, and run that. So the Trojan Horse would have to use an
unusual name, and one that would not be easily identified. But
I don't see this as a major issue: a.out would not be a suspicious
process, and ./elm would show up as elm. If there is more to the
location of the dot than this, I'd like to know about it.
Frank Crary
CU Boulder
PS: I suspect someone's going to be upset about this. I've just
described in detail how someone could hide a Trojan Horse, publicly.
You could say that I'm giving criminals an idea about how to avoid
getting caught. I disagree for two reasons. First, publicly describing
security problems is the best way to avoid them. It lets people know
how and why the problem exists and that's the start of solving the
problem. Second, I doubt there are many people capable of introducing
a Trojan Horse who haven't figured these tricks out.
FJC