[8907] in bugtraq
PATH variable in zip-slackware 2.0.35
daemon@ATHENA.MIT.EDU (Steven Alexander)
Sun Jan 3 16:24:56 1999
Date: Sat, 2 Jan 1999 12:36:28 -0800
Reply-To: Steven Alexander <steve@CELL2000.NET>
From: Steven Alexander <steve@CELL2000.NET>
To: BUGTRAQ@NETSPACE.ORG
I recently downloaded the zip disk version of slackware 2.0.35 and I noticed
two entries that I didn't like in the default PATH: :/usr/andrew/bin
and :.
The directory /usr/andrew doesn't exist and shouldn't be included in the
default path. Also '.' should never be included in root's default path as
it gives the possibility that a user might place a trojan into a his/her
home directory or another user writeable directory. i.e.: placing a shell
script 'mroe' in their home directory that creates a SUID copy of bash
before executing 'more' . Anyway, placing '.' in your path is a bad idea.
cheers,
Steve