[8955] in bugtraq

home help back first fref pref prev next nref lref last post

Re: PATH variable in zip-slackware 2.0.35

daemon@ATHENA.MIT.EDU (bandregg@REDHAT.COM)
Tue Jan 5 13:37:04 1999

Date: 	Tue, 5 Jan 1999 09:49:00 -0500
Reply-To: bandregg@REDHAT.COM
From: bandregg@REDHAT.COM
X-To:         "Patrick J. Volkerding" <gonzo@RRNET.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  Your message of "Mon, 04 Jan 1999 15:02:54 CST." 
              <Pine.BSI.3.96.990104143756.5639A-100000@rrnet.com>

[ I told myself to stay out of this. ]

On Mon, 4 Jan 1999 15:02:54 -0600, "Patrick J. Volkerding" wrote:
>3.  If you put '.' last in the $PATH, it's a minimal risk, IMHO.  If you
>    use normal care in user-writable directories you're not likely to ever
>    have a problem.  Attacks would depend on specific typos in specific
>    user-writable directories matching the filename of an attack script.
>    This would be extremely rare.
>
>    However, if you fall into catagory (1), you can change the default
>    $PATH easily. It's hardly a hidden setting.

# cd /tmp
# sl
bash: sl: command not found

I argue that this is a fairly common occurrence when typing quickly or
sloppily. Whether or not I *can* change $PATH has nothing to do with the fact
that the $PATH you are providing is *less* secure than it can be.

People don't need the ability to run arbitrary programs from their current
directory without the "./". They don't, end of story.
--
                Bryan C. Andregg * <bandregg@redhat.com> * Red Hat Software

        "I was really tired and could not fall asleep."
                        -- Evaluation Comment for my Tutorial

home help back first fref pref prev next nref lref last post