From owner-freebsd-hackers  Tue Jun 25 00:01:30 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id AAA23250
          for hackers-outgoing; Tue, 25 Jun 1996 00:01:30 -0700 (PDT)
Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA23217;
          Tue, 25 Jun 1996 00:01:19 -0700 (PDT)
Received: from palmer.demon.co.uk (localhost [127.0.0.1])
          by palmer.demon.co.uk (sendmail/PALMER-2) with ESMTP id HAA29211;
          Tue, 25 Jun 1996 07:58:33 +0100 (BST)
To: -Vince- <vince@mercury.gaianet.net>
cc: Mark Murray <mark@grumble.grondar.za>, hackers@FreeBSD.ORG,
        security@FreeBSD.ORG, Chad Shackley <chad@mercury.gaianet.net>,
        jbhunt <jbhunt@mercury.gaianet.net>
From: "Gary Palmer" <gpalmer@FreeBSD.ORG>
Subject: Re: I need help on this one - please help me track this guy down! 
In-reply-to: Your message of "Mon, 24 Jun 1996 23:32:55 PDT."
             <Pine.BSF.3.91.960624232727.21697c-100000@mercury.gaianet.net> 
Date: Tue, 25 Jun 1996 07:58:32 +0100
Message-ID: <29209.835685912@palmer.demon.co.uk>
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

-Vince- wrote in message ID
<Pine.BSF.3.91.960624232727.21697c-100000@mercury.gaianet.net>:
> 	Hmmm, doesn't everyone have . as their path since all . does is allow
> someone to run stuff from the current directory...

No, everyone does NOT have `.' in their paths! I most certainly don't,
as I know that it's ALL to easy to have someone break your system
security that way. Imagine if you are looking into something as root,
and have `.' in your path. You go into someone elses directory, and do
a `ls'. All they need is a wrapper program called `ls' in that dir
which copies /bin/sh to some directory, chowns it to root, then sets
the setuid bit, and THEN exec's ls with the arguments given, an BANG,
there goes your system security.

See the problem? It's a bit of a pain if you are doing s/w
development, but it's more than repaid in security ... It's why we put
up with the common complaint from newbies about not being able to run
programs in their current directory, as `.' isn't in root's path by
default when we ship the system.

Gary
--
Gary Palmer                                          FreeBSD Core Team Member
FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info