*BSD News Article 95952

Return to BSD News archive 

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!news.inetnebr.com!news.enteract.com!newsfeed.enteract.com!insync!feed1.news.erols.com!howland.erols.net!cam-news-hub1.bbnplanet.com!su-news-hub1.bbnplanet.com!news.bbnplanet.com!csn!nntp-xfer-1.csn.net!boulder!rintintin.Colorado.EDU!fcrary
From: fcrary@rintintin.Colorado.EDU (Frank Crary)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: New Installation
Date: 23 May 1997 14:55:37 GMT
Organization: University of Colorado, Boulder
Lines: 29
Message-ID: <5m4b59$p51@lace.colorado.edu>
References: <EAI42z.L80@nonexistent.com> <5m18gk$aq7@ui-gate.utell.co.uk> <33848701.953498@news.tiac.net> <EALpDE.1Fn@sphynx.fdn.fr>
NNTP-Posting-Host: rintintin.colorado.edu
NNTP-Posting-User: fcrary
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:41401

In article <EALpDE.1Fn@sphynx.fdn.fr>,
Philippe Causse <causse@sphynx.fdn.fr> wrote:
>: > or put the current directory in your path (unsafe):

>: This raises an interesting point.  I'm probably just not thinking
>: about the problem in the right way, but i can't seem to see
>: what's "unsafe" about this.   I've raised the question a few
>: times in the past and nobody could actually tell me...

>IIRC, this is one possible door for trojan horses.
>This is related to a superuser doing a cd to a user account where a trojan
>horse lieves. For example, user foo writes a fake "ls" program and leaves
>it in his account. If mister Charlie Root goes to ~foo and does ls, he/she
>will start the fake ls instead of the real one.  Good time to steal setuid
>bits !
>But, IMHO, I thing mister Charly Root should not snoop around in mister
>foo's home directory 8-p
>Anyway, putting the "dot" directory at the end of the path is certainly
>the safest location for it, I presume!

Another problem is hiding a trojan horse. If the current directory
is in a user's path, someone could run their own code and have is
appear, in ``ps'' or ``top'' or whatever, as something like ``csh''.
Very few system administrators would be suspicious seeing ``csh''
running for a long time, while they might wonder about ``./a.out''
if it were active for days.

                                                     Frank Crary
                                                     CU Boulder