Re: ./ in PATH, always bad?

To: debian-user@lists.debian.org
Subject: Re: ./ in PATH, always bad?
From: joost@topaz.mdcc.cx (Joost Kooij)
Date: Mon, 16 Jul 2001 15:44:43 +0200
Message-id: <[🔎] 20010716154443.J8767@topaz.mdcc.cx>
In-reply-to: <[🔎] 01071608583002.00664@cj-523-526.hamilton.edu>

On Mon, Jul 16, 2001 at 08:58:30AM -0400, Nathan Weston wrote:
> Correct me if I'm wrong, but I thought that the items in the path were 
> searched in order. So if your path is "/bin:/usr/bin:./", it will only search 
> ./ if it doesn't find the command in /bin or /usr/bin. Which means that there 
> is much less danger of someone replacing a standard program with a trojan. 

Theoretically, you're right, but:

$ sl
bash: sl: command not found

# dkpg
bash: dkpg: command not found

Think about that.  This is why good security has many layers, btw.

> Also, if we are talking about a single-user workstation, this seems like less 
> of an issue, b/c someone has to crack your user account at least in order to 
> do something like this. And if they crack that account, they've got access to 
> all the important stuff (ie, your personal files, which can't be simply 
> reinstalled) anyway.

1. You never know for sure.  In that sense, making assumptions like
"this is my home machine, thus is safe" is in itself a bad practise.
Building on the perceived security is as strong as your assumption,
not as your perception.  Maybe the context of your machine will change
in the future, but you forget to change the "only local" vulnerabilities.

2. If you know what you're doing, you can figure it out yourself.
In fact, you'll probably have figured long before that ./foo is more
convenient for the few times you actually need this.  "foo" not being
executable is something that trips me up far more often that "foo"
not being in $PATH.  On the other hand, if you don't know what you're
doing and in the newsgroups and mailing lists you read everywhere:
  "duh, put '.' in your $PATH, I use it all the time, cuz it's so easy.
   Dse^H^H^HTyping the dot is just too hard man, it's not cool!", 
you may get hurt if you're unlucky.  The dot is just not a very good
default.  Also, imho it is important that all the "newbie" guides out
there are a bit careful and not promise people free lunch while they
still can't see the difference between a sandwich and a sandwich with
a fishing angle in it.

3. Think about the story of the young cowboy who learned the ropes on a
red saddled pony, where "gun" is an alias to "gun --safety=on".  Then,
on some ill-fated day, our brave and courageous cowboy guy gets to ride
the plains under a hot sun, on a big horse...

I hope that you can see the parallel that I am trying to make.  :-)

> I make no claims to be an expert (or even particularly knowledgable) when it 
> comes to security, so someone please let me know if I'm entirely off base 
> here.

Security is not about trusting the experts, it's about not trusting
anyone, including yourself.  Don't trust me.  ;-)

Cheers,

Joost

Reply to:

References:
- Re: ./ in PATH, always bad?
  - From: Nathan Weston <nweston@hamilton.edu>

Prev by Date: Re: ./ in PATH, always bad?
Next by Date: Re: XWindows library
Previous by thread: Re: sl anyone? was [Re: ./ in PATH, always bad?]
Next by thread: Re: ./ in PATH, always bad?
Index(es):
- Date
- Thread