Return to BSD News archive
Newsgroups: comp.unix.bsd.freebsd.misc Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!news.maxwell.syr.edu!eerie.fr!cnusc.fr!univ-lyon1.fr!fdn.fr!r2d2.fdn.org!sphynx.fdn.fr!causse From: causse@sphynx.fdn.fr (Philippe Causse) Subject: Re: New Installation X-Newsreader: TIN [version 1.2 PL2] Organization: individual - paris - france Message-ID: <EALpDE.1Fn@sphynx.fdn.fr> References: <EAI42z.L80@nonexistent.com> <5lv322$ae8@ui-gate.utell.co.uk> <33838754.41C67EA6@nyct.net> <5m18gk$aq7@ui-gate.utell.co.uk> <33848701.953498@news.tiac.net> Date: Thu, 22 May 1997 21:08:02 GMT Lines: 32 Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:41451 Margaret Tarbet (tarbet@swaa.com) wrote: : On 22 May 1997 10:52:04 GMT, : brian@shift.utell.net (Brian Somers) wrote: : > or put the current directory in your path (unsafe): : This raises an interesting point. I'm probably just not thinking : about the problem in the right way, but i can't seem to see : what's "unsafe" about this. I've raised the question a few : times in the past and nobody could actually tell me, it was : always only received wisdom for them. I suppose if it were the : case that path strings could be appropriated by any accountholder : and the owner's identity assumed thereby, then that would indeed : be a Great Gaping Security Hole, but afaik, that's not possible. IIRC, this is one possible door for trojan horses. This is related to a superuser doing a cd to a user account where a trojan horse lieves. For example, user foo writes a fake "ls" program and leaves it in his account. If mister Charlie Root goes to ~foo and does ls, he/she will start the fake ls instead of the real one. Good time to steal setuid bits ! But, IMHO, I thing mister Charly Root should not snoop around in mister foo's home directory 8-p Anyway, putting the "dot" directory at the end of the path is certainly the safest location for it, I presume! : Any elucidation gratefully accepted. -- ------------------------------------------------------------------- P. Causse http://www.fdn.fr/~pcausse 4.4BSD/X11R6/Motif-2.0/C++ mailto:causse@sphynx.fdn.fr (UUCP)