Re: ./ in PATH, always bad?

To: debian-user@lists.debian.org
Subject: Re: ./ in PATH, always bad?
From: Nathan Weston <nweston@hamilton.edu>
Date: Mon, 16 Jul 2001 08:58:30 -0400
Message-id: <[🔎] 01071608583002.00664@cj-523-526.hamilton.edu>
In-reply-to: <[🔎] 20010713145337.A1663@crdic.ath.cx>
References: <[🔎] 20010713145337.A1663@crdic.ath.cx>

On Friday 13 July 2001 05:53 pm, Craig Dickson wrote:
> D-Man wrote:
> > Sure it's a "flaw" :  suppose someone creates an executable trojan in
> > "the current directory" named 'cd'.  If '.' is the first thing in the
> > path you will execute the trojan rather than the usual /bin/cd.
>
> s/cd/ls/g for a better argument. cd is a shell builtin; there is no
> /bin/cd.
>
> Having to type ./ in front of a program's name when it's in the current
> directory is pretty trivial, and when you understand the potential
> danger of having . in your path, you just don't do it ever again.
>
> Trivial example: I want a file that Joe has which he has chmodded to
> 600, i.e. he can read and write it, but nobody else can even read it. So
> I put something in my home directory that I think he'll want to see, and
> I also put a trojan script there which will copy the file for me and
> chown it to me. I create symlinks in my home directory pointing to the
> script, named "ls", "cp", "cat", and "mv". I tell Joe to look in my
> directory for the file, but "forget" to tell him its exact name (or I
> get it trivially wrong). Joe cd's to my directory and types "ls"... my
> script is executed and I get the file, all because Joe is the sort of
> guy who likes having . in his path.
>
> Of course, if he just looks in my directory without cd'ing to it, this
> won't work, but a lot of people have this interesting habit of always
> cd'ing to wherever they think something is, rather than just referencing
> it by relative or absolute directory name, so a trick like this will
> work surprisingly often once you know that someone has . in his path.
>
> Craig

Correct me if I'm wrong, but I thought that the items in the path were 
searched in order. So if your path is "/bin:/usr/bin:./", it will only search 
./ if it doesn't find the command in /bin or /usr/bin. Which means that there 
is much less danger of someone replacing a standard program with a trojan. 

Also, if we are talking about a single-user workstation, this seems like less 
of an issue, b/c someone has to crack your user account at least in order to 
do something like this. And if they crack that account, they've got access to 
all the important stuff (ie, your personal files, which can't be simply 
reinstalled) anyway.

I make no claims to be an expert (or even particularly knowledgable) when it 
comes to security, so someone please let me know if I'm entirely off base 
here.

Nathan

Reply to:

Follow-Ups:
- Re: ./ in PATH, always bad?
  - From: Alan Shutko <ats@acm.org>
- Re: ./ in PATH, always bad?
  - From: joost@topaz.mdcc.cx (Joost Kooij)

References:
- Re: ./ in PATH, always bad?
  - From: Craig Dickson <crdic@yahoo.com>

Prev by Date: Re: dependency problem in Debian unstable distribution
Next by Date: Re: XWindows library
Previous by thread: Re: ./ in PATH, always bad?
Next by thread: Re: ./ in PATH, always bad?
Index(es):
- Date
- Thread