[1757] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Minor flaw in Caldera OpenLinux 1.2

daemon@ATHENA.MIT.EDU (Andy McRory)
Sun May 17 10:24:09 1998

Date: Sun, 17 May 1998 10:10:34 -0400 (EDT)
From: Andy McRory <pcdr@pcdr.com>
To: linux-security@redhat.com
Reply-to: Andy McRory <pcdr@pcdr.com>
Resent-From: linux-security@redhat.com


(I almost didn't post this cause I hope you would notice it immediately
after installing the OS... It's here for the people that don't/won't use
Caldera OpenLinux 1.2 ) 

Hello to all!

By default, Caldera OpenLinux 1.2 adds the currrent working directory to
the end of the $PATH on login. This of course gives a normal user the
possibility of gaining a root shell by tricking root into running a shell
script in his/her home directory or other publicly writable directory. 

I asked Caldera about it and they dismissed it as a not being bad enough
to worry about it. I'll let you decide how bad having the CWD in your path
is or isn't. 

Ciao!


Andy McRory
Systems Administrator
-
The PC Doctor - pcdr@pcdr.com         **** LiNUX Systems Engineers ****
3009-C West Tharpe St.                *      Network  Integrators     *
Tallahassee, Florida 32303            * Custom Servers & Workstations *
Ph 850.575.7213 Fx 850.575.2901       *** Full  Service and Support ***

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post