Dot in PATH?
Darin McGrew
mcgrew at ichthous.Eng.Sun.COM
Fri Jan 25 08:44:36 AEST 1991
jeffb at aquifer.las.uiuc.edu (Jeffrey Biesiadecki) writes:
>In a recent flame war in alt.sources, it was said that it was a bad idea
>to have '.' in your $PATH variable (I use tcsh, or csh, probably this
>would apply for any shell). What's wrong with doing this?
If you have '.' early in your search path, and you cd into a
directory that is writable by other people, then you are
vulnerable to trojan horses. Someone can create a dummy version
of some commonly used command, you can execute it instead of the
real version, and when you execute it, the dummy version can do
any number of things that you wouldn't want it to do.
The risk involved depends on how often you cd into publicly
writable directories, hostile your environment is, and what
privileges you have that others might be interested in.
Personally, I have '.' in my path when I'm myself, but not when
I'm root.
Darin McGrew "The Beginning will make all things new,
mcgrew at Eng.Sun.COM New life belongs to Him.
Affiliation stated for He hands us each new moment saying,
identification purposes only. 'My child, begin again....
You're free to start again.'"
More information about the Comp.unix.shell
mailing list