[8924] in bugtraq
Re: PATH variable in zip-slackware 2.0.35
daemon@ATHENA.MIT.EDU (kay)
Mon Jan 4 13:21:05 1999
Date: Sat, 2 Jan 1999 21:29:12 +0200
Reply-To: kay <kay@PHREEDOM.ORG>
From: kay <kay@PHREEDOM.ORG>
X-To: Steven Alexander <steve@CELL2000.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <000301be368f$95713480$1502110a@mark.dobson.net>
On Sat, 2 Jan 1999, Steven Alexander wrote:
> I recently downloaded the zip disk version of slackware 2.0.35 and I noticed
> two entries that I didn't like in the default PATH: :/usr/andrew/bin
> and :.
> The directory /usr/andrew doesn't exist and shouldn't be included in the
> default path. Also '.' should never be included in root's default path as
> it gives the possibility that a user might place a trojan into a his/her
> home directory or another user writeable directory. i.e.: placing a shell
> script 'more' in their home directory that creates a SUID copy of bash
> before executing 'more' . Anyway, placing '.' in your path is a bad idea.
I will assume you are talking about the Slackware 3.6 distribution...
The directory /usr/andrew/bin should contain the Andrew User Interface
System packages. Those are from the Slackware contributed packages,
slackware-3.6/contrib/auis63L4-*.tgz. Note that they are neither
maintained or supported by Pat Volkerding but by their respective authors.
It is not only zip-slack that contains those in the default PATH variable,
this is found in
/etc/profile:
PATH="$PATH:/usr/X11R6/bin:/usr/andrew/bin:$OPENWINHOME/bin:/usr/games:."
/etc/csh.login:
set path = ( $path /usr/X11R6/bin /usr/andrew/bin $OPENWINHOME/bin/usr/games . )
Also the dot has been included in the path for all versions in
the Slackware distribution I've worked with - 3.[456]. Probably it's the
same with some older ones. The obvious workaround is just to remove those
entries in system-wide scripts.
> cheers,
> Steve
