From owner-freebsd-questions Wed Jul 24 06:43:26 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA19581 for questions-outgoing; Wed, 24 Jul 1996 06:43:26 -0700 (PDT) Received: from seagull.rtd.com (root@seagull.rtd.com [198.102.68.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA19571 for ; Wed, 24 Jul 1996 06:43:24 -0700 (PDT) Received: (from dgy@localhost) by seagull.rtd.com (8.7.5/8.7.3) id GAA15489; Wed, 24 Jul 1996 06:43:21 -0700 (MST) From: Don Yuniskis Message-Id: <199607241343.GAA15489@seagull.rtd.com> Subject: Re: your mail To: paradox@pegasus.rutgers.edu (Red Barchetta) Date: Wed, 24 Jul 1996 06:43:20 -0700 (MST) Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <199607241254.IAA08136@pegasus.rutgers.edu> from "Red Barchetta" at Jul 24, 96 08:54:01 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk It seems that Red Barchetta said: > > From: Red Barchetta > Subject: Re: ["Ian Kallen" : Re: Install Q& A] > In-Reply-To: Your message of Wed, 24 Jul 1996 08:37:35 -0400 > > > (shudder) ... let me give you an example... > > > > User A says that he cannot read a file in his home area... you cd to > > his home area and type 'ls'. you note that the permissions on the > > file were 111 and send him mail saying he needs to change his > > permissions. You then go about your business thinking every thing is > > ok... but what really happened is that the user had created an > > executable in his home directory called 'ls' and since '.' was in > > your path before /bin, you executed the local one. And the local one > > copyied /bin/sh to ~A/.tmp and made it setuid, and then erased the > > offending copy in the local directory and then executed the _real_ ls > > with the flags you specified. > > > > Now the user has root access. Suprise. This is one of the simplest > > examples.. there are better ones ;-). > > Mkaes sense. Two questions stem from that, though: > > 1) is there any reason that just plain old joe user should avoid '.' > in his path? (I don't see any, but just to make sure.) Same as above. "joe user" doesn't want to give *his* permissions away! > 2) if '.' appears as the very last entry in root's path is this > still considered a security risk? I'm not so lazy that I'm not > willing to type './command' as root--- just really curious about > this type of stuff! I think the point of *forcing* you to type the "./" is hopefully a reminder that you are executing an "alien" -- and potentially hostile -- program.