On Thu, 2007-12-20 at 09:07 -0800, Les wrote: > Note that the PATH environment variable determines the locations > searched and the order in which they are searched. The last location > should be /usr/bin. Care should be exercised in setting up applications > such that the path and file name choices within the path sequence do not > mask system operation programs. For instance if there is a system > command say "sed" for example, but you create a program or script and > call it "sed", then place it in the path before /usr/bin, the result > will be that you will execute the "sed" script rather than the system > command. Not only will this affect direct "sed" commands, but it will > also cause scripts calling "sed" to malfunction when that script is in > the path before the "sed" program. > > I know that quotes are not necessary, but I put them there to emphasize > the name of the command and script to trigger your eyes to check it out. > > One other issue is the users who place their directory or one that they > have write access to in the path. This is a security issue. If you > then inadvertantly run a virus script, it can generate the executable in > your local executable directory. Then just one instance of exercising > that directory as root or via suedo, and you have problems. As a > developer, I have used a local "bin" directory to check out scripts. I > generatlly make it under root, and executable as group and world, but > not root. Then I can put trials in it amd work with them (this was on > solaris, so I suspect it will also work on Linux, but I haven't tried > it). Just be careful. ---- of course the 'path' parse order is a feature, not a flaw. It allows you to substitute alternative versions of programs say in /usr/local/bin or ~/bin while still keeping the standard versions where they are. Security of course is always a concern but if someone is writing files onto your executiion paths on your filesystem without your knowledge, you were already 'boned' ;-) Craig
