[8926] in bugtraq
Re: PATH variable in zip-slackware 2.0.35
daemon@ATHENA.MIT.EDU (Rattle)
Mon Jan 4 14:19:01 1999
Date: Mon, 4 Jan 1999 02:29:24 -0600
Reply-To: Rattle <rattle@TLORAH.NET>
From: Rattle <rattle@TLORAH.NET>
X-To: Cacaio Torquato <cacaio@DEATHKNIGHTS.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3.0.1.32.19981121023133.006883b8@mail.geocities.com>
On Sat, 21 Nov 1998, Cacaio Torquato wrote:
> Just FYI:
>
> As I have seen in Slackware 3.4 CD-Rom, these two entries are also in the
> default PATH.
>
> Maybe this entrie is also included in the default PATH of other versions of
> Slackware.
As far as I can remember, "/usr/andrew" and "." have been in the PATH
on every version of Slackware I have ever installed. Which probably
meants its even in pre 2.0 releases.
While the presence "/usr/andrew" is (in most cases) nothing more than
"clutter", having "." is your path is a very common mistake admins make.
Mainly because people can be to lazy to type ./configure when installing
packages. As previously mentioned, this can is used by the common script
kiddie to easily make a suid shell or other 4xxx toy for himself.
Many a machine has been cracked by someone inserting a script named "ls"
in the /tmp dir.
Also, there are hooks in various Slackware startup scripts (ie:
/etc/rc.d/rc.inet2) to startup various daemons that are not installed by
default. The first one that comes to mind is sshd. While this is not a
security risk (as it only looks to the dirs "/usr/sbin" and
"/usr/local/sbin"). I may be mistaken (Its kinda late here.. heh), but I
can sware that it is not commented out by default. As I said, not a
blatent security risk, but if you have sshd installed, but don't want it
to run.. You may want to comment that out. (And if you don't use
ssh/scp, you should..)
...
. Nick Levay
. rattle@tlorah.net
. "There are two major products that come out of Berkeley: LSD and UNIX.
. We do not believe this to be a coincidence."
