From owner-freebsd-security Tue Jun 25 08:16:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA07528 for security-outgoing; Tue, 25 Jun 1996 08:16:59 -0700 (PDT) Received: from maki.wwa.com (maki.wwa.com [198.49.174.21]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA07519 for ; Tue, 25 Jun 1996 08:16:53 -0700 (PDT) Received: from wendigo.trans.sni-usa.com by maki.wwa.com with smtp (Smail3.1.29.1 #1) id m0uYZrI-000rPHC; Tue, 25 Jun 96 10:16 CDT Received: from vogon.trans.sni-usa.com (vogon [136.157.83.215]) by wendigo.trans.sni-usa.com (8.7.5/8.6.12) with ESMTP id KAA10515 for ; Tue, 25 Jun 1996 10:12:14 -0500 (CDT) Received: from shyam.trans.sni-usa.com (shyam.trans.sni-usa.com [136.157.82.43]) by vogon.trans.sni-usa.com (8.6.12/8.6.12) with SMTP id KAA05415 for ; Tue, 25 Jun 1996 10:24:38 -0500 From: hal@snitt.com (Hal Snyder) To: security@freebsd.org Subject: The Vinnie Loophole Date: Tue, 25 Jun 1996 15:17:47 GMT Organization: Siemens Nixdorf Transportation Technologies Message-ID: <31cffc6e.1096226166@vogon.trans.sni-usa.com> X-Mailer: Forte Agent .99e/32.227 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Re: Trojan horse programs that get executed because "." is in PATH somewhere: The fact that this well-known, easily plugged loophole is being rediscovered by new admins (probably daily) suggests that we *could* do something more proactive to keep it from happening. 1. How about adding checks for "." or equivalent in $PATH to /etc/security? Scan for it in .profile, .bashrc, and so forth. This would not catch every offence but would help. 2. At appropriate securelevel, have exec() fail with explanation to syslog if there is no "/" in argv[0]. How much code would [should] this break? Is this a horrible idea?