[8955] in bugtraq
Re: PATH variable in zip-slackware 2.0.35
daemon@ATHENA.MIT.EDU (bandregg@REDHAT.COM)
Tue Jan 5 13:37:04 1999
Date: Tue, 5 Jan 1999 09:49:00 -0500
Reply-To: bandregg@REDHAT.COM
From: bandregg@REDHAT.COM
X-To: "Patrick J. Volkerding" <gonzo@RRNET.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 04 Jan 1999 15:02:54 CST."
<Pine.BSI.3.96.990104143756.5639A-100000@rrnet.com>
[ I told myself to stay out of this. ]
On Mon, 4 Jan 1999 15:02:54 -0600, "Patrick J. Volkerding" wrote:
>3. If you put '.' last in the $PATH, it's a minimal risk, IMHO. If you
> use normal care in user-writable directories you're not likely to ever
> have a problem. Attacks would depend on specific typos in specific
> user-writable directories matching the filename of an attack script.
> This would be extremely rare.
>
> However, if you fall into catagory (1), you can change the default
> $PATH easily. It's hardly a hidden setting.
# cd /tmp
# sl
bash: sl: command not found
I argue that this is a fairly common occurrence when typing quickly or
sloppily. Whether or not I *can* change $PATH has nothing to do with the fact
that the $PATH you are providing is *less* secure than it can be.
People don't need the ability to run arbitrary programs from their current
directory without the "./". They don't, end of story.
--
Bryan C. Andregg * <bandregg@redhat.com> * Red Hat Software
"I was really tired and could not fall asleep."
-- Evaluation Comment for my Tutorial