Date: Thu, 10 Oct 1996 00:45:51 -0700 (PDT) From: Veggy Vinny <richardc@CSUA.Berkeley.EDU> To: Mark Murray <mark@grondar.za> Cc: Warner Losh <imp@village.org>, current@FreeBSD.org Subject: Re: /usr/bin/install in -current broken Message-ID: <Pine.PTX.3.95.961010004357.5738d-100000@soda.CSUA.Berkeley.EDU> In-Reply-To: <199610100603.IAA12278@grumble.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 Oct 1996, Mark Murray wrote: > Veggy Vinny wrote: > > Hmmm, is moving the '.' to the last component in the path still a > > security risk? I guess you are right that I don't want to have it in > > root's path but I guess as the last component it should be okay since no > > one can name something with the same name and have me run it... =) > > Of course. Al someon has to do is name a script/trojan/whatever > as anything that is commonly mistyped to get you. > > How often do you type (for instance) > > l s-al for ls -al > fin or fnid for find > etc? Not that often... > This leaves (in these cases) l, fin an fnid open for an attacker. It seems like on our machines, they don't hack by logging in to the machine but I don't know what they did to put a program in a port and then they telnet to it to get root shell without even logging in... Cheers, -Vince- GaiaNet Corporation Unix Networking Operation
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.PTX.3.95.961010004357.5738d-100000>