Karel Bemelmans wrote:
> Aren't we being a bit too paranoid ?
>
> First, if he gets access to your account, even ftp only, he might just
> download the /etc/passwd file right away. And second, most systems use
> shadow, so /etc/passwd is useless for a cracker.
>
> Karel
>
I have to agree with Karel here (and Lengard, and Jonathan [in a much earlier
post]). I think that the reasons stated on this list for ordinary users not
having '.' in their PATH are specious.
However, the case of "root" is different. I am not convinced of the
correctness of Jonathan's explanation, since I have a feeling that the actual
impact would be something greater. To justify my gut-feeling, I quote problem 36
of chapter 7 of 'The Design of the Unix Operating System' by Maurice J Bach :
" A superuser should set up the PATH environment variable so that the shell does
_not_ search for executable files in the current directory. What security
problems exist if it attempts to execute files in the current directory?"
Admittedly, I am unable to answer this question at this point, since my
reading of chapter 7 has been perfunctory at best.
(BTW, one of my ambitions in life is to answer every single question in this
book. I have found that almost every question posed by Bach advances my knowledge
of Unix internals. A book to be highly recommended.)
Kenneth
--
There is no such thing as luck. 'Luck' is nothing but an absence of bad luck.
