Jon Kent wrote:
Hi,
This one kinda supprised me. When I was looking around by new 3.8
install I noticed that in /etc/skel/.profile that PATH contains a . in
it, which I found supprising as I've always assumed that this was not a
sensible thing to do. I've taken it out as I'm not too happy when
having the current directory in the path.
Any ideas why this is there?
Thanks
I cannot see how this would be exploitable. root doesn't have . in it's
PATH. Other people were discussing cat and cta for example. For this to
work, one would have to be able to write to the victim's home directory,
and - of course - the victim would have to make that typo. And it only
works when targeting a user, not the computer itself.
I would consider it something handy, in case you don't have write access
outside your home directory, so you can use your own executables, that
can be executed without adding the full path.
In my opinion this bug|feature|exploit doesn't pose any threat to system
security.
Actually that . has been there since the very first version of
skel/dot.profile CVS check in.
Glenn
