From owner-freebsd-questions  Wed Nov  5 11:31:54 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id LAA01432
          for questions-outgoing; Wed, 5 Nov 1997 11:31:54 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from smtp04.primenet.com (smtp04.primenet.com [206.165.5.85])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA01422
          for <questions@FreeBSD.ORG>; Wed, 5 Nov 1997 11:31:49 -0800 (PST)
          (envelope-from bkogawa@primenet.com)
Received: (from daemon@localhost)
	by smtp04.primenet.com (8.8.7/8.8.7) id MAA05334;
	Wed, 5 Nov 1997 12:31:42 -0700 (MST)
Received: from mailhost01.primenet.com(206.165.5.52), claiming to be "primenet.com"
 via SMTP by smtp04.primenet.com, id smtpd005323; Wed Nov  5 12:31:40 1997
Received: from foo.primenet.com (ip194.sjc.primenet.com [206.165.96.194])
	by primenet.com (8.8.5/8.8.5) with ESMTP id MAA26206;
	Wed, 5 Nov 1997 12:31:37 -0700 (MST)
Received: (from bkogawa@localhost)
	by foo.primenet.com (8.8.6/8.8.6) id KAA09855;
	Wed, 5 Nov 1997 10:56:59 -0800 (PST)
Date: Wed, 5 Nov 1997 10:56:59 -0800 (PST)
Message-Id: <199711051856.KAA09855@foo.primenet.com>
To: mouth@ibm.net
Subject: Re: question
Newsgroups: localhost.freebsd.questions
References: <Pine.BSF.3.96.971105083016.244A-100000@dreamworld.demon.co.uk> <3460990c.152757135@smtp-gw01.ny.us.ibm.net>
From: "Bryan K. Ogawa" <bkogawa@primenet.com>
Cc: questions@FreeBSD.ORG
X-Newsreader: NN version 6.5.0 #1 (NOV)
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

In localhost.freebsd.questions you write:

>One of my first changes after an install is PATH in .profile, where I
>add a colon to the front of the path so that my current directory is
>found in my path.

>Why doesn't .profile have it that way by default?  It seems to me that
>you would want to look in the current directory first.

Executing unexpected things in the current directory is a potential
security risk.

Consider the following script, put into a large directory and
named "sl".

  #!/bin/sh

  echo "echo ha ha you have been hacked" >> $HOME/.cshrc
  echo "sl: Command not found."

It's worse if you put . at the front of your path, because then I'd
trap ls itself and I don't have to hope for a typo:

  #!/bin/sh

  echo "echo ha ha you have been hacked" >> $HOME/.profile
  /bin/ls $@

-- 
bryan k ogawa  <bkogawa@primenet.com>   http://www.primenet.com/~bkogawa/