From owner-freebsd-stable  Mon Mar 25 10:20: 8 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mired.org (dsl-64-192-6-133.telocity.com [64.192.6.133])
	by hub.freebsd.org (Postfix) with SMTP id 5956737B405
	for <stable@freebsd.org>; Mon, 25 Mar 2002 10:20:04 -0800 (PST)
Received: (qmail 5573 invoked by uid 100); 25 Mar 2002 18:20:03 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15519.27219.356805.929565@guru.mired.org>
Date: Mon, 25 Mar 2002 12:20:03 -0600
To: Chris BeHanna <behanna@zbzoom.net>
Cc: FreeBSD-Stable <stable@freebsd.org>
Subject: Re: mergemaster mtree:No such file or directory
In-Reply-To: <20020325010337.G78210-100000@topperwein.dyndns.org>
References: <20020324163351.A73171@greed.zenspider.com>
	<20020325010337.G78210-100000@topperwein.dyndns.org>
X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
From: Mike Meyer <mwm-dated-1017512403.0c07ee@mired.org>
X-Delivery-Agent: TMDA/0.49 (Python 2.2 on freebsd4)
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

In <20020325010337.G78210-100000@topperwein.dyndns.org>, Chris BeHanna <behanna@zbzoom.net> typed:
> On Sun, 24 Mar 2002, Ryan Davis wrote:
> > I've seen weird cases lately where the solution to some poor fool's
> > port building problem is "Take '.' out of your path". That's just
> > NOT going to help us increase the usability of our favorite OS, is
> > it?
>     Having "." in your PATH is a security risk.  I don't have any
> problem making life difficult for people who have "." in their PATH.

Running anything listening to a TCP socket is also a security risk. Do
you not have any problems making life difficult for people who run,
say sshd?

Putting "." last in your PATH narrows the security risk to your common
typos. Running on a machine on which the only legit users all have
root - a common situation for a workstation or a non-shell server -
means that if the risk is exploitable, you've already been
cracked. I'd say that running sshd is at least as dangerous as having
"." last in your PATH on such a machine.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message