[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

RE: how to execute an excutable file

From: Rick Stevens <rstevens vitalstream com>
To: Getting started with Red Hat Linux <redhat-install-list redhat com>
Subject: RE: how to execute an excutable file
Date: Tue, 27 Feb 2007 09:58:25 -0800

On Tue, 2007-02-27 at 05:42 -0500, Michael Velez wrote:
>  
> 
> > -----Original Message-----
> > From: redhat-install-list-bounces redhat com 
> > [mailto:redhat-install-list-bounces redhat com] On Behalf Of narendra
> > Sent: Tuesday, February 27, 2007 5:12 AM
> > To: Getting started with Red Hat Linux
> > Subject: RE: how to execute an excutable file 
> > 
> > Hi,
> > why shouldn't  current working directory be in the PATH?? 
> > 
> > Narendra 
> > 
> 
> This is more important for the 'root' user as opposed to regular users but I
> guess one could advise it for all users.
> 
> It's to avoid a security risk called a Trojan Horse.  A Trojan Horse is an
> executable that has the same name as a standard Linux/Unix system command
> but does something completely different.
> 
> Say you're in the 'tmp' directory (or any publicly accessible directory) and
> an unknown user has created a program called 'ifconfig' in that directory.
> You, as root, would like to execute the 'ifconfig' command while in the tmp
> directory.  If '.' is in the path before /sbin is, you will inadvertently
> execute the 'ifconfig' command in the tmp directory.  That ifconfig command,
> run as the root user, can do anything it wants, even give root permissions
> to any other user.
> 
> That is why the 'root' user should only have well-defined system directories
> in its path, and definitely not directories that are publicly-accessible.
> Since '.' can point to anything, it should never be in the path.
> 
> Variants of this idea can also apply to all users.

Good example, Michael.

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer          rstevens vitalstream com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-             To iterate is human, to recurse, divine.               -
----------------------------------------------------------------------

Follow-Ups:
- RE: how to execute an excutable file
  - From: narendra

References:
- how to execute an excutable file
  - From: Nofriyadi Nurdam
- RE: how to execute an excutable file
  - From: Johan Lithander
- RE: how to execute an excutable file
  - From: narendra

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]