Jeff Kinz wrote: > You should always use the absolute paths to invoke commands in any script > run by root. This prevents people from putting "trojans" in the path This *shouldn't* be necessary, at least on Linux. [1] The two rules that are necessary anyway are * Root's $PATH should never include any directory where non-"trusted" users can write. * Root should only ever run "trusted" scripts. And no-one can put trojans in the path. OK, I suppose you *can* get around Rule 1 by *always* using absolute paths, but you do have to make sure that both interactive users and scripts always follow that rule. This isn't the norm, and is difficult to enforce. You will notice that the Fedora shell scripts in /etc/ don't follow your suggested rule... James. [1] Certain Unices honoured the SetUID bit on shell scripts. That meant that an attacker could set the PATH appropriately and run the script. The script would run as root, but inherit the attacker's PATH. So unless the script reset PATH first, it could be running the attacker's "versions" of standard shell commands. There were a number of other things that needed doing, and that shell scripts didn't always do. This is (one reason) why Linux does not honour the SetUID bit on shell scripts. -- E-mail address: james | The other shamans laughed at Norgle's Balloon @westexe.demon.co.uk | Animal totem, but he'd show 'em! He'd show 'em all! | Except maybe the Porcupine Shaman. | -- Ursula Vernon