Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Nov 1997 11:41:33 -0500
From:      Matthew Hunt <mph@pobox.com>
To:        John Kelly <mouth@ibm.net>
Cc:        questions@FreeBSD.ORG
Subject:   Re: question
Message-ID:  <19971105114133.42210@mph124.rh.psu.edu>
In-Reply-To: <3460990c.152757135@smtp-gw01.ny.us.ibm.net>; from John Kelly on Wed, Nov 05, 1997 at 04:22:37PM %2B0000
References:  <Pine.BSF.3.96.971105083016.244A-100000@dreamworld.demon.co.uk> <3460990c.152757135@smtp-gw01.ny.us.ibm.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Nov 05, 1997 at 04:22:37PM +0000, John Kelly wrote:

> One of my first changes after an install is PATH in .profile, where I
> add a colon to the front of the path so that my current directory is
> found in my path.
> 
> Why doesn't .profile have it that way by default?  It seems to me that
> you would want to look in the current directory first.

This issue is discussed very frequently, and I am sure is appears in
one of the comp.unix FAQs.

If "." (or a blank entry) appears at the front of your PATH, then
someone can put a program called "ls" in their home directory or anywhere
else that they can write to, and if you run "ls" while in that directory,
you run whatever code they want you to, for example:

#!/bin/sh
rm -rf /

That would be especially bad if you're root, but even if you're a regular
user, you don't want to run a script that will erase your home directory,
or send threatening mail to the president, or whatnot.

Now, suppose you put "." at the end of your PATH.  That's not as bad,
because you'll run /bin/ls instead of ./ls, but many people make
characteristic typos, like "mroe" for "more", "sl" for "ls", etc.  A
random user could take advantage of that in the same way.

There is a strong consensus among people who care at all about security
that "." in the PATH is a Bad Thing, and I seriously doubt FreeBSD
would ever ship with such a hole.

-- 
Matthew Hunt <mph@pobox.com> * Think locally, act globally.
finger hunt@mph124.rh.psu.edu for PGP public key.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19971105114133.42210>