From owner-freebsd-security  Tue Jun 25 09:42:51 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA15754
          for security-outgoing; Tue, 25 Jun 1996 09:42:51 -0700 (PDT)
Received: from husky.cslab.vt.edu (jaitken@husky.cslab.vt.edu [198.82.184.10])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id JAA15747
          for <security@freebsd.org>; Tue, 25 Jun 1996 09:42:47 -0700 (PDT)
Received: (jaitken@localhost) by husky.cslab.vt.edu (8.6.12/8.6.4) id MAA06642; Tue, 25 Jun 1996 12:42:33 -0400
From: Jeff Aitken <jaitken@cslab.vt.edu>
Message-Id: <199606251642.MAA06642@husky.cslab.vt.edu>
Subject: Re: The Vinnie Loophole
To: hal@snitt.com (Hal Snyder)
Date: Tue, 25 Jun 1996 12:42:33 -0400 (EDT)
Cc: security@freebsd.org
In-Reply-To: <31cffc6e.1096226166@vogon.trans.sni-usa.com> from "Hal Snyder" at Jun 25, 96 03:17:47 pm
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> 1.  How about adding checks for "." or equivalent in $PATH to
> /etc/security?  Scan for it in .profile, .bashrc, and so forth.  This
> would not catch every offense but would help.

I can't speak for anyone else, but that would be the first sort of
"security check" I would disable (along with the damn message about not
logging in as root, but to use 'su').  Useless messages like 

	WARNING: root has "." in their path!!!

filling my system logs is *not* what I consider helpful.  If you put "."
last in the path you should be fine.

If you've got "Unix System Administrators" who are trying to use
commands like DIR and REN, or are wondering why there isn't a C:\UNIX
directory, well, I think you're in trouble anyway :-)
-- 
Jeff Aitken
jaitken@cs.vt.edu