Mysterious security hole
Dave Schweisguth
SCHDAVZ at YaleVM.YCC.Yale.Edu
Tue Jun 11 03:15:40 AEST 1991
This probably isn't so mysterious, but the subject line has got to be zippy or
nobody'll read my post.
The 'login' command initializes PATH with (among other useful directories)
'.'. 'su' leaves '.' out. A footnote to a Unix book I have here hints at a
security hole involving the _position_ of '.' in PATH, claiming that having
'.' first is dangerous. It doesn't say why.
These add up to something screwy with '.'. Can someone explain why root/
Joe User ought/ought not have '.' in his/her path, and if so should it be
first, last, or anywhere, and (this is the good part) why? The system is an
SGI Personal Iris, IRIX v3.3.2, if it matters.
This may well be an FAQ (the book certainly seems to think so) but I haven't
found an FAQ list. If there is one, please let me know. Thanks!
_____________________________________________________________________________
/ \
| Dave Schweisguth 5386 Yale Station 203-436-2694 |
| schdavz at yalevm.ycc.yale.edu New Haven, CT 06502-5386 |
\_____________________________________________________________________________/
More information about the Comp.unix.admin
mailing list