[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Dot in PATH

From: Cameron Simpson <cs zip com au>
To: redhat-list redhat com
Cc: Gustav Schaffter <gustav schaffter com>
Subject: Re: Dot in PATH
Date: Wed, 14 Jul 1999 02:58:50 +0000

On 13 Jul 1999, in message <378AF94C BF20252C schaffter com>
  Gustav Schaffter <gustav schaffter com> wrote:
| In the OS/2 Warp world (and the Win-x environments) there is an implicit
| dot "." in the beginning of the PATH. (By the command interpreter always
| looking first in 'current directory'.)

Yeah, horrible. Heuer's Razor: "If it can't be turned off, it's _not_ a
feature."

| This is not the case under Linux. I have to start a local command by
| typing ./mycommand

True. A tiny inconvenience. The keys are even adjacent.

| I have understood that in the Linux world it is considered to be a
| security risk to insert a "." in the beginning of the PATH variable.
| Could anyone explain to a Linux newbie (that's me ;-) *why* this is a
| security risk, and how anyone could take (malicious) profit of this?

Consider the multiuser system. "." places you at the mercy of whatever
directory you're standing in. I used to regularly catch people visiting
my directory because I had an "ls" command there. It just logged their
name (silently) and ran the real one, but the potential for misuse is immense.

Now, for the std commands, such a thing works only if the user is silly
enough to put "." at the front of the path (or early in the path, anyway).

Misuse aside, a dot near the front means normal scripts can break if
your local test program happens to coincide with a less known but
standard system command.  The classic example is calling your test
program "test", since test is a standard command much used in scripts.

Even with a . near the end, securitywise you're suspect to attacks
based on common typos. (If I had . in my path an attack could get me by
writing a program named "ls-ld", since I regularly drop the space
typing "ls -ld".)

It needn't even be an attack. We all make typos, and a test program
while merely happens to match one can cause subtle havoc.

Spurn the dot. "./" is your friend. It is small hassle and good protection.
--
Cameron Simpson, DoD#743        cs zip com au    http://www.zip.com.au/~cs/

My favorite cheating incident actually happened to a friend of mine,
who confronted a copier with his misdeeds, after class.  The student's
response was something like: ``But I work for [US government agency],
and we *always* do that!''
	- Howard E. Motteler <motteler umbc edu>

Follow-Ups:
- Re: Dot in PATH
  - From: Robert Fargher
- Re: Dot in PATH
  - From: Thomas Ribbrock (Design/DEG)

References:
- Dot in PATH
  - From: Gustav Schaffter

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]