dot in path (was Re: Mysterious security hole)
Jamie Mason
jmason2 at gpu.utcs.utoronto.ca
Thu Jun 20 12:32:56 AEST 1991
In article <1991Jun19.191124.20380 at cs.utk.edu> Dave Sill <de5 at ornl.gov> writes:
>Now suppose the user calls up the system administrator, who is known
>to remain su'd to root most of the time, and requests help with make.
>The user explains that when he updates a file, make fails to rebuild
>everything it should. The admin scans the Makefile, does an ls or
>two, touches some files, checks the date, etc. Of course, he's
>careful not to run "make" or the user's program, and he's left dot out
>of his path. Eventually, he sees that a filename is mispelled, or
>that there's a missing dependency, or whatever. The user thanks him,
>and that's that. Right?
>
>Unless the admin happened to mistype "date" as "dtae" at some point.
Of course, the administator's mistake was *not* that he had "."
in is path. His mistake was that he helped a user with a problem with
their personal files *as root*. What he/she should have done is su'ed to
the user with the problem, then used *that* shell to solve the problem.
Remember that root can su to anyone *without* entering a password. By
poking around the user's files *AS THE USER*, there is no chance of
accidentally executing something nasty as root.
In fact only *ever* execute commands as root that you really
*have to*. Su to an appropriate, weaker, userid to do anything else.
AND put "." last in the path, if at all.
Jamie ... Lurker in the Process Table
Written On Wednesday, June 19, 1991 at 10:29:38pm EDT
More information about the Comp.unix.admin
mailing list