[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dangerous to have ~/bin first in $PATH [was Re: Odd Path issue]

On Sat, Sep 28, 2002 at 05:44:58PM +1000, Russell wrote:
> Colin Watson wrote:
> > I think a more sensible rule is to only put directories in $PATH that
> > are at least as trusted as the relevant account. Thus, /usr/bin and so
> > on are always fine, ~/bin is only fine for the owning user, and . is
> > never a good idea.
> 
> Why is ./ in the path bad? If someone hacked in, couldn't they
> set the path to anything they wanted?

Unlike ~/bin, the current directory is not always under your control. If
you put . in $PATH, then 'cd /tmp; ls' is no longer safe.

The current directory is potentially in a different security domain, and
should be treated accordingly. ~/bin is in your own security domain, so
there is no need to worry about using it.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
Reply to: