From owner-freebsd-security  Tue Jun 25 08:38:45 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id IAA09235
          for security-outgoing; Tue, 25 Jun 1996 08:38:45 -0700 (PDT)
Received: from root.com (implode.root.com [198.145.90.17])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA09225
          for <security@freebsd.org>; Tue, 25 Jun 1996 08:38:39 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.5/8.6.5) with SMTP id IAA19357; Tue, 25 Jun 1996 08:38:30 -0700 (PDT)
Message-Id: <199606251538.IAA19357@root.com>
X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol
To: hal@snitt.com (Hal Snyder)
cc: security@freebsd.org
Subject: Re: The Vinnie Loophole 
In-reply-to: Your message of "Tue, 25 Jun 1996 15:17:47 GMT."
             <31cffc6e.1096226166@vogon.trans.sni-usa.com> 
From: David Greenman <davidg@root.com>
Reply-To: davidg@root.com
Date: Tue, 25 Jun 1996 08:38:29 -0700
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>Re: Trojan horse programs that get executed because "." is in PATH
>somewhere:
>
>The fact that this well-known, easily plugged loophole is being
>rediscovered by new admins (probably daily) suggests that we *could*
>do something more proactive to keep it from happening.
>
>1.  How about adding checks for "." or equivalent in $PATH to
>/etc/security?  Scan for it in .profile, .bashrc, and so forth.  This
>would not catch every offence but would help.
>
>2.  At appropriate securelevel, have exec() fail with explanation to
>syslog if there is no "/" in argv[0].  How much code would [should]
>this break?  Is this a horrible idea?

   It's appropriate for some environments and not for others. I certainly
wouldn't want the kernel involved in this in any case, and things that do
scans through your filesystems need to be carefully controlled. Some systems
have so much disk space and NFS that the scan wouldn't complete within the
24 hour time period. Something like (1), if implemented, should not be enabled
by default.

-DG

David Greenman
Core-team/Principal Architect, The FreeBSD Project