[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: from a.out to running the darned thing.

On Sun, 2005-01-23 at 23:43 -0500, Travis Crump wrote:
> Ron Johnson wrote:
> > On Sun, 2005-01-23 at 20:59 -0500, Scotty Fitzgerald wrote:
> > 
> >>I know, this has to be a really dumb question.  I must be 
> >>missing something really simple on this one.  I want to point 
> >>out that googled up and down but must be asking google the 
> >>wrong thing.
> > 
> > [snip]
> > 
> >>I type "a.out" into bash and I get "command not found"
> >>
> >>Is there something I have to do to tell bash that this 
> >>executable is an executable, or did I leave out a step?
> > 
> > 
> > Why, I bet you're asking yourself, doesn't bash first look in .
> > when you want to execute a script?
> > 
> > Security.  Let's say someone hacks into your account, and puts in
> > a program named "ls" that is really a shell script that does 
> > "rm -rf ~".  You see the problem...
> > 
> > This is why putting . and ~/bin in your PATH are very bad ideas.
> > 
> I understand . since . could potentially be an insecure directory like 
> /tmp, but what is wrong with ~/bin?  If an attacker is able to place a 
> binary in ~/bin doesn't he already have the permissions to do "rm -rf ~" 
> himself?

. is all that is necessary for an immediate attack.  For sabotage,
though, ~/bin would be better suited.

Ron Johnson, Jr.
Jefferson, LA USA
PGP Key ID 8834C06B I prefer encrypted mail.

484,246 sq mi (1,254,197 sq km) are needed for 6 billion people
to live, 4 persons per lot, in lots that are 60'x150' (a nice
suburban US plot).
That is ~ California, Texas and Missouri.
Alternatively, France, Spain and The United Kingdom.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: