Re: ./ in PATH, always bad?
On Friday 13 July 2001 05:53 pm, Craig Dickson wrote:
> D-Man wrote:
> > Sure it's a "flaw" : suppose someone creates an executable trojan in
> > "the current directory" named 'cd'. If '.' is the first thing in the
> > path you will execute the trojan rather than the usual /bin/cd.
>
> s/cd/ls/g for a better argument. cd is a shell builtin; there is no
> /bin/cd.
>
> Having to type ./ in front of a program's name when it's in the current
> directory is pretty trivial, and when you understand the potential
> danger of having . in your path, you just don't do it ever again.
>
> Trivial example: I want a file that Joe has which he has chmodded to
> 600, i.e. he can read and write it, but nobody else can even read it. So
> I put something in my home directory that I think he'll want to see, and
> I also put a trojan script there which will copy the file for me and
> chown it to me. I create symlinks in my home directory pointing to the
> script, named "ls", "cp", "cat", and "mv". I tell Joe to look in my
> directory for the file, but "forget" to tell him its exact name (or I
> get it trivially wrong). Joe cd's to my directory and types "ls"... my
> script is executed and I get the file, all because Joe is the sort of
> guy who likes having . in his path.
>
> Of course, if he just looks in my directory without cd'ing to it, this
> won't work, but a lot of people have this interesting habit of always
> cd'ing to wherever they think something is, rather than just referencing
> it by relative or absolute directory name, so a trick like this will
> work surprisingly often once you know that someone has . in his path.
>
> Craig
Correct me if I'm wrong, but I thought that the items in the path were
searched in order. So if your path is "/bin:/usr/bin:./", it will only search
./ if it doesn't find the command in /bin or /usr/bin. Which means that there
is much less danger of someone replacing a standard program with a trojan.
Also, if we are talking about a single-user workstation, this seems like less
of an issue, b/c someone has to crack your user account at least in order to
do something like this. And if they crack that account, they've got access to
all the important stuff (ie, your personal files, which can't be simply
reinstalled) anyway.
I make no claims to be an expert (or even particularly knowledgable) when it
comes to security, so someone please let me know if I'm entirely off base
here.
Nathan
Reply to: