On Sat, 29 Aug 1998, Kenneth Stephen wrote:
> Hi,
>
> I inhereited the linux-newbie FAQ, and some of the answers in the
> FAQ do not make any sense to me. So I am currently trying to fix all the
> defects I can see. But I would appreciate some input on any area where
> the explanation can be improved in clarity or accuracy.
>
> A specific question. This is question 4.2 in the FAQ :
>
> 4.2 Why isn't "." in my path?
> Security reasons. Consider the following scenario:
>
> # pwd
> /home/badguy
> # echo *
> ls
> # cat ls
> #!/bin/sh
> /bin/ls $*
> rm -rf / &
> # ls
> ls
> [1] 219
> # (sleep 30;ls)
> ls: command not found.
>
> By this time, nothing works.... / has been deleted. This example could
> be avoided by putting "." after /bin in your path, and then the correct
> ls would be executed. But what if the command was named "sl", and you
> would have mistyped ls as "sl"? (It happens a lot.)
>
> Does this make sense to you? I havent understood why a person not having
> '.' in his / her path would not be susceptible to the above "security
> risk"?
If you don't have '.' in your path, you can't execute programs in the
current directory, unless you type in a full pathname. If you have it in
your path, and some malicious user makes a nasty script and calls it ls,
if you try to do 'ls' in his homedirectory, you will in fact execute his
script.
You can avoid this by placing '.' last in your path, but as the FAQ points
out, our evil user could then make a script 'sl', hoping you would make a
typo in his homedirectory.
If you don't have '.' in your path at all, but only /bin, /usr/bin ...,
you can only execute binaries in those directories, in which normal usres
can't (or shouldn't be able to) change anything
> Kenneth
Frank
> --
> There is no such thing as luck. 'Luck' is nothing but an absence of bad luck.
>
