[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: from a.out to running the darned thing.

Ron Johnson wrote:

> On Sun, 2005-01-23 at 23:43 -0500, Travis Crump wrote:
>> Ron Johnson wrote:
>> > On Sun, 2005-01-23 at 20:59 -0500, Scotty Fitzgerald wrote:
>> > 
>> >>I know, this has to be a really dumb question.  I must be
>> >>missing something really simple on this one.  I want to point
>> >>out that googled up and down but must be asking google the
>> >>wrong thing.
>> > 
>> > [snip]
>> > 
>> >>I type "a.out" into bash and I get "command not found"
>> >>
>> >>Is there something I have to do to tell bash that this
>> >>executable is an executable, or did I leave out a step?
>> > 
>> > 
>> > Why, I bet you're asking yourself, doesn't bash first look in .
>> > when you want to execute a script?
>> > 
>> > Security.  Let's say someone hacks into your account, and puts in
>> > a program named "ls" that is really a shell script that does
>> > "rm -rf ~".  You see the problem...
>> > 
>> > This is why putting . and ~/bin in your PATH are very bad ideas.
>> > 
>> I understand . since . could potentially be an insecure directory like
>> /tmp, but what is wrong with ~/bin?  If an attacker is able to place a
>> binary in ~/bin doesn't he already have the permissions to do "rm -rf ~"
>> himself?
> . is all that is necessary for an immediate attack.  For sabotage,
> though, ~/bin would be better suited.
Thanks, this worked.  It must have been a hold over from DOS 
left in my brain that the current directory would be checked.

Thanks also for the security explanation.  Security while online 
was the final thing that pushed me to get Linux up and running!

Reply to: