[1757] in linux-security and linux-alert archive
[linux-security] Minor flaw in Caldera OpenLinux 1.2
daemon@ATHENA.MIT.EDU (Andy McRory)
Sun May 17 10:24:09 1998
Date: Sun, 17 May 1998 10:10:34 -0400 (EDT)
From: Andy McRory <pcdr@pcdr.com>
To: linux-security@redhat.com
Reply-to: Andy McRory <pcdr@pcdr.com>
Resent-From: linux-security@redhat.com
(I almost didn't post this cause I hope you would notice it immediately
after installing the OS... It's here for the people that don't/won't use
Caldera OpenLinux 1.2 )
Hello to all!
By default, Caldera OpenLinux 1.2 adds the currrent working directory to
the end of the $PATH on login. This of course gives a normal user the
possibility of gaining a root shell by tricking root into running a shell
script in his/her home directory or other publicly writable directory.
I asked Caldera about it and they dismissed it as a not being bad enough
to worry about it. I'll let you decide how bad having the CWD in your path
is or isn't.
Ciao!
Andy McRory
Systems Administrator
-
The PC Doctor - pcdr@pcdr.com **** LiNUX Systems Engineers ****
3009-C West Tharpe St. * Network Integrators *
Tallahassee, Florida 32303 * Custom Servers & Workstations *
Ph 850.575.7213 Fx 850.575.2901 *** Full Service and Support ***
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null