Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PATH variable in zip-slackware 2.0.35

From: bandregg () REDHAT COM (bandregg () REDHAT COM)
Date: Tue, 5 Jan 1999 09:49:00 -0500

[ I told myself to stay out of this. ]

On Mon, 4 Jan 1999 15:02:54 -0600, "Patrick J. Volkerding" wrote:

3.  If you put '.' last in the $PATH, it's a minimal risk, IMHO.  If you
   use normal care in user-writable directories you're not likely to ever
   have a problem.  Attacks would depend on specific typos in specific
   user-writable directories matching the filename of an attack script.
   This would be extremely rare.

   However, if you fall into catagory (1), you can change the default
   $PATH easily. It's hardly a hidden setting.


# cd /tmp
# sl
bash: sl: command not found

I argue that this is a fairly common occurrence when typing quickly or
sloppily. Whether or not I *can* change $PATH has nothing to do with the fact
that the $PATH you are providing is *less* secure than it can be.

People don't need the ability to run arbitrary programs from their current
directory without the "./". They don't, end of story.
--
                Bryan C. Andregg * <bandregg () redhat com> * Red Hat Software

        "I was really tired and could not fall asleep."
                        -- Evaluation Comment for my Tutorial
Previous By Date Next
Previous By Thread Next

Current thread: