Date: Tue, 25 Jun 1996 00:25:02 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: Gary Palmer <gpalmer@FreeBSD.ORG> Cc: Mark Murray <mark@grumble.grondar.za>, hackers@FreeBSD.ORG, security@FreeBSD.ORG, Chad Shackley <chad@mercury.gaianet.net>, jbhunt <jbhunt@mercury.gaianet.net> Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960625002357.21697f-100000@mercury.gaianet.net> In-Reply-To: <29209.835685912@palmer.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jun 1996, Gary Palmer wrote: > -Vince- wrote in message ID > <Pine.BSF.3.91.960624232727.21697c-100000@mercury.gaianet.net>: > > Hmmm, doesn't everyone have . as their path since all . does is allow > > someone to run stuff from the current directory... > > No, everyone does NOT have `.' in their paths! I most certainly don't, > as I know that it's ALL to easy to have someone break your system > security that way. Imagine if you are looking into something as root, > and have `.' in your path. You go into someone elses directory, and do > a `ls'. All they need is a wrapper program called `ls' in that dir > which copies /bin/sh to some directory, chowns it to root, then sets > the setuid bit, and THEN exec's ls with the arguments given, an BANG, > there goes your system security. > > See the problem? It's a bit of a pain if you are doing s/w > development, but it's more than repaid in security ... It's why we put > up with the common complaint from newbies about not being able to run > programs in their current directory, as `.' isn't in root's path by > default when we ship the system. Hmmm, I see people don't have it at the beginning of their path but they do for the end even on CERFNet when they talk about security, all their defaults have . at the end.. Vince
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960625002357.21697f-100000>