On Tue, 12 Mar 2002, Erik Curiel wrote: > In response to the scenarios suggested by Majcher, Christian and Brandon: > it's so easy to guard against, it's laughable. Simply have "." be the > last entry in your path. Then you're going to execute a maliciously named > binary called "ls" in $PWD for example only if the real "ls" isn't in a > directory *anywhere* in your path, which I kinda doubt (if that is the > case, then having "." in your path is the least of your worries). All you > have to do as root is type out the full name of each command (i.e. don't > use tab command name-completion) and you'll never execute any binary or > script in $PWD that you don't intend to. That's a helluva lot easier than > typing fully-qualified pathnames to every script or binary you run.
i am an engineer. i use make. i can't type. alice the hacker puts 'mkae' in a directory. i am fucked. it's a bad idea. you can't guard against it completely. -- christian void - [EMAIL PROTECTED] www.morphine.com/void/ gpg key available on request _______________________________________________ Bits mailing list [EMAIL PROTECTED] http://www.sugoi.org/mailman/listinfo/bits
