Date: Thu, 10 Oct 1996 08:03:29 +0200 From: Mark Murray <mark@grondar.za> To: Veggy Vinny <richardc@CSUA.Berkeley.EDU> Cc: Warner Losh <imp@village.org>, current@FreeBSD.org Subject: Re: /usr/bin/install in -current broken Message-ID: <199610100603.IAA12278@grumble.grondar.za>
next in thread | raw e-mail | index | archive | help
Veggy Vinny wrote: > Hmmm, is moving the '.' to the last component in the path still a > security risk? I guess you are right that I don't want to have it in > root's path but I guess as the last component it should be okay since no > one can name something with the same name and have me run it... =) Of course. Al someon has to do is name a script/trojan/whatever as anything that is commonly mistyped to get you. How often do you type (for instance) l s-al for ls -al fin or fnid for find etc? This leaves (in these cases) l, fin an fnid open for an attacker. M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610100603.IAA12278>