[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: from a.out to running the darned thing.

On Sun, Jan 23, 2005 at 11:06:53PM -0600, Kent West wrote:
> Travis Crump wrote:
> >I understand . since . could potentially be an insecure directory like 
> >/tmp, but what is wrong with ~/bin?  If an attacker is able to place a 
> >binary in ~/bin doesn't he already have the permissions to do "rm -rf 
> >~" himself?
> No, "~/bin" is not the same as "/bin". "~/bin" is the current user's 
> directory. Still, I'm not sure that "~/bin" represents a threat, because 
> the bad guy's "~/bin" won't be in root's path, and the bad guy 
> presumably won't be able to put a bad file in root's "~/bin", which may 
> be what you're saying above.
> But having "." in one's path is definitely risky.

You don't have to worry about bad guys to be fearful of . in one's path.
Most problems in computer use are self inflicted user errors. Keeping .
out of PATH protects mere mortals from some of their mistakes.

Paul E Condon           

Reply to: