Mysterious security hole
Brian Noble
noble at ICSI.Berkeley.EDU
Thu Jun 13 10:01:14 AEST 1991
In article <CGD.91Jun11163602 at sandstorm.ocf.Berkeley.EDU> cgd at ocf.Berkeley.EDU (Chris G. Demetriou) writes:
>In article <91161.131540SCHDAVZ at YaleVM.YCC.Yale.Edu> SCHDAVZ at YaleVM.YCC.Yale.Edu (Dave Schweisguth) writes:
>>
>>This probably isn't so mysterious, but the subject line has got to be zippy or
>>nobody'll read my post.
>
>not so mysterious...and people would probably read it...but here's a response.
>>
>>The 'login' command initializes PATH with (among other useful directories)
>>'.'. 'su' leaves '.' out. A footnote to a Unix book I have here hints at a
>>security hole involving the _position_ of '.' in PATH, claiming that having
>>'.' first is dangerous. It doesn't say why.
>
>Having . first in a path can in fact be dangerous...
>
[a good explaination of why the . first is bad deleted]
>
>cgd
>cgd at ocf.Berkeley.EDU
>OCF Staff - But these words are mine, *ALL MINE*...
>
The PATH = (. /bin ...) problem is only a special case of a more general
problem, to wit: the thing you are executing may not be in just the place
you thought it may have been.
Most manual sets have a section on security (at least the SunOS one does)
and they are Highly Recommended Reading (tm) for anyone who has the slightest
responsibility for administering a system. One of the things the Sun
manual says (which I have really taken to heart) will eliminate this strange
executable location problem alltogether: always use _full_ pathnames, i.e.
they start with a / and are really long.
Brian
noble at tenet.berkeley.edu
"Just because I'm paranoid doesn't mean one of my users isn't up to something"
More information about the Comp.unix.admin
mailing list