From owner-freebsd-hackers  Tue Jun 25 00:25:22 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id AAA26347
          for hackers-outgoing; Tue, 25 Jun 1996 00:25:22 -0700 (PDT)
Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA26339;
          Tue, 25 Jun 1996 00:25:20 -0700 (PDT)
Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id AAA06126; Tue, 25 Jun 1996 00:25:02 -0700 (PDT)
Date: Tue, 25 Jun 1996 00:25:02 -0700 (PDT)
From: -Vince- <vince@mercury.gaianet.net>
To: Gary Palmer <gpalmer@FreeBSD.ORG>
cc: Mark Murray <mark@grumble.grondar.za>, hackers@FreeBSD.ORG,
        security@FreeBSD.ORG, Chad Shackley <chad@mercury.gaianet.net>,
        jbhunt <jbhunt@mercury.gaianet.net>
Subject: Re: I need help on this one - please help me track this guy down! 
In-Reply-To: <29209.835685912@palmer.demon.co.uk>
Message-ID: <Pine.BSF.3.91.960625002357.21697f-100000@mercury.gaianet.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 25 Jun 1996, Gary Palmer wrote:

> -Vince- wrote in message ID
> <Pine.BSF.3.91.960624232727.21697c-100000@mercury.gaianet.net>:
> > 	Hmmm, doesn't everyone have . as their path since all . does is allow
> > someone to run stuff from the current directory...
> 
> No, everyone does NOT have `.' in their paths! I most certainly don't,
> as I know that it's ALL to easy to have someone break your system
> security that way. Imagine if you are looking into something as root,
> and have `.' in your path. You go into someone elses directory, and do
> a `ls'. All they need is a wrapper program called `ls' in that dir
> which copies /bin/sh to some directory, chowns it to root, then sets
> the setuid bit, and THEN exec's ls with the arguments given, an BANG,
> there goes your system security.
> 
> See the problem? It's a bit of a pain if you are doing s/w
> development, but it's more than repaid in security ... It's why we put
> up with the common complaint from newbies about not being able to run
> programs in their current directory, as `.' isn't in root's path by
> default when we ship the system.

	Hmmm, I see people don't have it at the beginning of their path 
but they do for the end even on CERFNet when they talk about security, 
all their defaults have . at the end..

Vince