From owner-freebsd-questions  Wed Jul 24 06:39:35 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id GAA19390
          for questions-outgoing; Wed, 24 Jul 1996 06:39:35 -0700 (PDT)
Received: from seagull.rtd.com (root@seagull.rtd.com [198.102.68.2])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA19382
          for <freebsd-questions@freebsd.org>; Wed, 24 Jul 1996 06:39:33 -0700 (PDT)
Received: (from dgy@localhost) by seagull.rtd.com (8.7.5/8.7.3) id GAA15147; Wed, 24 Jul 1996 06:39:27 -0700 (MST)
From: Don Yuniskis <dgy@rtd.com>
Message-Id: <199607241339.GAA15147@seagull.rtd.com>
Subject: Re: ["Ian Kallen" <ian@gamespot.com>: Re: Install Q& A]
To: paradox@pegasus.rutgers.edu (Red Barchetta)
Date: Wed, 24 Jul 1996 06:39:27 -0700 (MST)
Cc: freebsd-questions@freebsd.org
In-Reply-To: <CMM-RU.1.5.838209547.paradox@pegasus.rutgers.edu> from "Red Barchetta" at Jul 24, 96 07:59:07 am
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> >Is . in your path?  A lot of folks consider it bad sysadmin practive 
> >to have it so and to precede all commands outside their path with full 
> >paths or relative paths (i.e. from /stand run it as ./sysinstall).
> 
> Why is this considered bad practice?

Because a nasty user could ask you to look into a "problem" he is
having... you would conceivably cd into his $HOME (which is where the
problem is) and maybe do something like "ls" to list the contents of the
directory.  Of course, the user may have created his own bogus "ls"
that you will end up executing *instead* of /bin/ls (assuming the "."
is in your path ahead of "/bin").  That bogus "ls" will now execute with
*your* (e.g., *root's*) permissions and probably give the user
root priviledge in the future...