From owner-freebsd-questions Wed Jul 24 05:54:18 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA17420 for questions-outgoing; Wed, 24 Jul 1996 05:54:18 -0700 (PDT) Received: from pegasus.rutgers.edu (pegasus.rutgers.edu [128.6.10.45]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id FAA17415 for ; Wed, 24 Jul 1996 05:54:17 -0700 (PDT) Received: (paradox@localhost) by pegasus.rutgers.edu (8.6.12+bestmx+oldruq+newsunq/8.5) id IAA08136; Wed, 24 Jul 1996 08:54:01 -0400 Date: Wed, 24 Jul 1996 08:54:01 -0400 From: Red Barchetta Message-Id: <199607241254.IAA08136@pegasus.rutgers.edu> To: freebsd-questions@freebsd.org Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk From: Red Barchetta Subject: Re: ["Ian Kallen" : Re: Install Q& A] In-Reply-To: Your message of Wed, 24 Jul 1996 08:37:35 -0400 > -------- > > ( Heh must be a rush fan .. can't wait until Sept. 3! ) > I most certainly am ! :) > > (shudder) ... let me give you an example... > > User A says that he cannot read a file in his home area... you cd to > his home area and type 'ls'. you note that the permissions on the > file were 111 and send him mail saying he needs to change his > permissions. You then go about your business thinking every thing is > ok... but what really happened is that the user had created an > executable in his home directory called 'ls' and since '.' was in > your path before /bin, you executed the local one. And the local one > copyied /bin/sh to ~A/.tmp and made it setuid, and then erased the > offending copy in the local directory and then executed the _real_ ls > with the flags you specified. > > Now the user has root access. Suprise. This is one of the simplest > examples.. there are better ones ;-). > > -branson Mkaes sense. Two questions stem from that, though: 1) is there any reason that just plain old joe user should avoid '.' in his path? (I don't see any, but just to make sure.) 2) if '.' appears as the very last entry in root's path is this still considered a security risk? I'm not so lazy that I'm not willing to type './command' as root--- just really curious about this type of stuff! I know these aren't actually FreeBSD specific questions, but I hope they will prove to be of interest to some other novice sysadmins out there as well! Thanks... Ernie Pistor