Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Jun 1996 07:58:32 +0100
From:      "Gary Palmer" <gpalmer@FreeBSD.ORG>
To:        -Vince- <vince@mercury.gaianet.net>
Cc:        Mark Murray <mark@grumble.grondar.za>, hackers@FreeBSD.ORG, security@FreeBSD.ORG, Chad Shackley <chad@mercury.gaianet.net>, jbhunt <jbhunt@mercury.gaianet.net>
Subject:   Re: I need help on this one - please help me track this guy down! 
Message-ID:  <29209.835685912@palmer.demon.co.uk>
In-Reply-To: Your message of "Mon, 24 Jun 1996 23:32:55 PDT." <Pine.BSF.3.91.960624232727.21697c-100000@mercury.gaianet.net> 

next in thread | previous in thread | raw e-mail | index | archive | help
-Vince- wrote in message ID
<Pine.BSF.3.91.960624232727.21697c-100000@mercury.gaianet.net>:
> 	Hmmm, doesn't everyone have . as their path since all . does is allow
> someone to run stuff from the current directory...

No, everyone does NOT have `.' in their paths! I most certainly don't,
as I know that it's ALL to easy to have someone break your system
security that way. Imagine if you are looking into something as root,
and have `.' in your path. You go into someone elses directory, and do
a `ls'. All they need is a wrapper program called `ls' in that dir
which copies /bin/sh to some directory, chowns it to root, then sets
the setuid bit, and THEN exec's ls with the arguments given, an BANG,
there goes your system security.

See the problem? It's a bit of a pain if you are doing s/w
development, but it's more than repaid in security ... It's why we put
up with the common complaint from newbies about not being able to run
programs in their current directory, as `.' isn't in root's path by
default when we ship the system.

Gary
--
Gary Palmer                                          FreeBSD Core Team Member
FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?29209.835685912>