Re: Unable to start program

To: debian-user@lists.debian.org
Subject: Re: Unable to start program
From: Torsten Hilbrich <Torsten.Hilbrich@gmx.net>
Date: 08 Apr 1998 13:09:31 +0200
Message-id: <87wwd0wowk.fsf@marvin.bln.de>
References: <Pine.LNX.3.96.980407011055.8940J-100000@pc47.mpn.cp.philips.com> <9837.23651.767@marvin.bln.de>

Daniel Martin at cush <dtm12@jhunix.hcf.jhu.edu> writes:

> I should point out that it is considered a bad security idea to put
> "." (or in fact any directory name that doesn't begin with "/") in
> root's PATH.  If you're just wanting to do something one time, it
> might be ok to do 'PATH=$PATH:.' as above but I wouldn't put that into
> root's initialization files, or into the system-wide path.  (I should
> qualify this with the statement that I don't completely understand why 
> this is a security hole when it's done as the last component of the
> PATH, but...)

Quite simple, think of a command named sl put in some users home
directory and root which tries to type ls but accidently typed sl.  If
cwd is that directory the program sl is executed with root priviledge
:-(.

        Torsten


--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Unable to start program
  - From: Daniel Martin at cush <dtm12@jhunix.hcf.jhu.edu>

References:
- Re: Unable to start program
  - From: Joost Kooij <kooij@mpn.cp.philips.com>

Prev by Date: Re:Xwindows
Next by Date: Re: Emacs 19.34
Previous by thread: Re: Unable to start program
Next by thread: Re: Unable to start program
Index(es):
- Date
- Thread