From owner-freebsd-chat Tue Jun 25 12:03:11 1996 Return-Path: owner-chat Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA29233 for chat-outgoing; Tue, 25 Jun 1996 12:03:11 -0700 (PDT) Received: from maki.wwa.com (maki.wwa.com [198.49.174.21]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA29225 for ; Tue, 25 Jun 1996 12:03:06 -0700 (PDT) Received: from wendigo.trans.sni-usa.com by maki.wwa.com with smtp (Smail3.1.29.1 #1) id m0uYdO5-000rMmC; Tue, 25 Jun 96 14:02 CDT Received: from vogon.trans.sni-usa.com (vogon [136.157.83.215]) by wendigo.trans.sni-usa.com (8.7.5/8.6.12) with ESMTP id NAA12871 for ; Tue, 25 Jun 1996 13:58:13 -0500 (CDT) Received: from shyam.trans.sni-usa.com (shyam.trans.sni-usa.com [136.157.82.43]) by vogon.trans.sni-usa.com (8.6.12/8.6.12) with SMTP id OAA05980 for ; Tue, 25 Jun 1996 14:10:39 -0500 From: hal@snitt.com (Hal Snyder) To: chat@freebsd.org Subject: The Vinnie Loophole Date: Tue, 25 Jun 1996 19:03:49 GMT Organization: Siemens Nixdorf Transportation Technologies Message-ID: <31d0216c.1105698438@vogon.trans.sni-usa.com> X-Mailer: Forte Agent .99e/32.227 Sender: owner-chat@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [Moved from security to chat for soapboxing] I said: > > 1. How about adding checks for "." or equivalent in $PATH to > > /etc/security? Scan for it in .profile, .bashrc, and so forth. This > > would not catch every offense but would help. David Greenman didn't want something scanning whole file systems (the way /etc/security looks for setuid/setgid changes now). And On Tue, 25 Jun 1996 12:42:33 -0400 (EDT), Jeff Aitken wrote: > filling my system logs is *not* what I consider helpful. If you put "." > last in the path you should be fine. Previous contributors to the massive "Please Help Me..." thread have pointed out that this only works if you never misspell a command nor try to use one that isn't in your PATH (ping is often not in an ordinary user's PATH, e.g.). Clearly, there is no way to please all users of an operating system. My particular slant comes from spending too much time already dealing with FreeBSD-phobes at work. ("It's free - it can't possibly be: secure/robust/useful/...") Commercial users want to be reassured by sales droids and glitzy packaging that something is basically O.K. Of course, they are also suspicious of open-ended technology like UNIX, that can perform more than a single, simple function. Anything that can be done to keep novice sysadmins from hurting themselves is worth looking at, just to keep the noise level down about how dangerous U**X is.