Re: Why can't I execute a script??

To: debian-user@lists.debian.org
Subject: Re: Why can't I execute a script??
From: renehl@post1.tele.dk (Rene Hojbjerg Larsen)
Date: 23 Oct 1998 11:34:57 GMT
Message-id: <[🔎] 70ppl1$ibl$1@renehl.ournet.dk>
References: <[🔎] 199810221717.NAA22992@mixing.qc.dfo.ca> <[🔎] 362F6E92.834C51D0@nwu.edu>

Evan Van Dyke wrote:
> Peter S Galbraith wrote:
>> If some user is capable of putting a fake `ls' in a random directory where
>> you might trip on it, that user is far more likely to put it in your ~/bin
>> directory!  (Same privileges are required)
>> 
>> Just a thought.
> 
> Just make the . directory the _last_ part of your path, that way it will
> search /bin /usr/bin /usr/local/bin and
> all the rest of your path first.

This discussion crops up on this list once a week or so.  The bottom line
is that users (root especially) should not have a "." anywhere in their
path.  Lets assume that root has a "." as the last element of his path.
He then goes to the home directory of a malignant user, intending to do an
"ls" on his dir.  Even root is not perfect, so he makes a typo and
actually types "sl" instead.  The malignant user has a script called "sl"
in his home dir:

#!/bin/sh
# Do bad stuff as root...
rm -f sl
echo "bash: sl: command not found" >&2

And root never knew what hit him...
-- 
       /'"`\  zzzZ  | My PGP Public Key is available at:
      ( - - )       | <http://home1.inet.tele.dk/renehl/>
--oooO--(_)--Oooo------------------------------------------ 
 Don't ya just hate it when there's not enough room to fin

Reply to:

References:
- Re: Why can't I execute a script??
  - From: Peter S Galbraith <GalbraithP@dfo-mpo.gc.ca>
- Re: Why can't I execute a script??
  - From: Evan Van Dyke <e-van@nwu.edu>

Prev by Date: Re: SNMPD - MRTG- PPP stats iregularity
Next by Date: Re: lilo problem
Previous by thread: Re: Why can't I execute a script??
Next by thread: Re: Why can't I execute a script??
Index(es):
- Date
- Thread