From owner-freebsd-security  Tue Jun 25 10:45:13 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id KAA21859
          for security-outgoing; Tue, 25 Jun 1996 10:45:13 -0700 (PDT)
Received: from xmission.xmission.com (softweyr@xmission.xmission.com [198.60.22.2])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA21847
          for <security@freebsd.org>; Tue, 25 Jun 1996 10:45:09 -0700 (PDT)
Received: (from softweyr@localhost) by xmission.xmission.com (8.7.5/8.7.5) id LAA24692; Tue, 25 Jun 1996 11:44:19 -0600 (MDT)
From: Barnacle Wes <softweyr@xmission.com>
Message-Id: <199606251744.LAA24692@xmission.xmission.com>
Subject: Re: The Vinnie Loophole
To: davidg@Root.COM
Date: Tue, 25 Jun 1996 11:44:19 -0600 (MDT)
Cc: hal@snitt.com, security@freebsd.org
In-Reply-To: <199606251538.IAA19357@root.com> from "David Greenman" at Jun 25, 96 08:38:29 am
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

% Re: Trojan horse programs that get executed because "." is in PATH
% somewhere:
% 
% The fact that this well-known, easily plugged loophole is being
% rediscovered by new admins (probably daily) suggests that we *could*
% do something more proactive to keep it from happening.
% 
% 1.  How about adding checks for "." or equivalent in $PATH to
% /etc/security?  Scan for it in .profile, .bashrc, and so forth.  This
% would not catch every offence but would help.

>    It's appropriate for some environments and not for others. I certainly
> wouldn't want the kernel involved in this in any case, and things that do
> scans through your filesystems need to be carefully controlled. Some systems
> have so much disk space and NFS that the scan wouldn't complete within the
> 24 hour time period. Something like (1), if implemented, should not be enabled
> by default.

I worked on the code that did this in Security Toolkit/UNIX for months,
so did the other two programmers.  This is very difficult to do
correctly, and if you do it wrong, you're just giving out a false sense
of security.  In my experience, when you tell someone their computer is
"secure" and then they get hacked, they get *really pissed* at you,
regardless of whether you said anything about how they got hacked or
not.  ;^)

-- 
   Wes Peters	| Yes I am a pirate, two hundred years too late
    Softweyr 	| The cannons don't thunder, there's nothing to plunder
   Consulting	| I'm an over forty victim of fate...
 softweyr@xmission.com	|				Jimmy Buffett