Mysterious security hole
B. Sam Blanchard
sam at bsu-cs.bsu.edu
Tue Jun 18 03:22:54 AEST 1991
In article <70 at pyuxf.UUCP> mal1 at pyuxf.UUCP (25337-maureen lecuona) writes:
>The security hole having to do with "." being anywhere but last
>in the PATH is due to the following scenario:
>
>Let the following be true:
>PATH=.:/bin:/usr/bin:/etc
>
>Maureen Lecuona
>Integrated Business Solutions, Inc.
Here's a nice and fairly simple way to improve security.
PATH=/bin:/usr/bin:/etc
then, to execute something in the local directory usr ./command or a full path.
Since non-standard commands as root are "evil" this occasional laps is not as
hard as it may appear. If you have local commands then create /usr/local/etc
and include this in your path.
WARNING: do not include a : at the start or end of your PATH. try it ;-)
--
B. Sam Blanchard UUCP: <backbones>!{iuvax,pur-ee}!bsu-cs!sam
ARPA: sam at bsu-cs.bsu.edu
3207 W. Devon Rd (317) 741-4500 work
Muncie, IN 47304
More information about the Comp.unix.admin
mailing list