Re: why is there . [dot] in default PATH?
On Tue, Apr 04, 2006 at 09:15:58PM +0200, RedShift wrote: I cannot see how this would be exploitable. root doesn't have . in it's PATH. Other people were discussing cat and cta for example. For this to work, one would have to be able to write to the victim's home directory, $ cd /tmp $ ls-la $ cd ~ ksh: /home/joskam: not found $ cat ls-la #!/bin/sh rm -rf ~ $ HTH. -- Jurjen Oskam Savage's Law of Expediency: You want it bad, you'll get it bad.
Re: why is there . [dot] in default PATH?
On Mon, 2006-04-03 at 23:09 +0100, Nick Guenther wrote: On 4/3/06, Han Boetes [EMAIL PROTECTED] wrote: Jon Kent wrote: This one kinda supprised me. When I was looking around by new 3.8 install I noticed that in /etc/skel/.profile that PATH contains a . in it, which I found supprising as I've always assumed that this was not a sensible thing to do. I've taken it out as I'm not too happy when having the current directory in the path. As long as it is at the end of your PATH it's not that bad. That's good to know. I never even noticed that before. Also: root never gets . in $PATH, right? -Nick You right, root does not get the . in the $PATH. Having . in anyones $PATH is very brain dead and I'm supprised to see it in OpenBSD Regards Jon
Re: why is there . [dot] in default PATH?
Jon Kent wrote: Hi, This one kinda supprised me. When I was looking around by new 3.8 install I noticed that in /etc/skel/.profile that PATH contains a . in it, which I found supprising as I've always assumed that this was not a sensible thing to do. I've taken it out as I'm not too happy when having the current directory in the path. Any ideas why this is there? Thanks I cannot see how this would be exploitable. root doesn't have . in it's PATH. Other people were discussing cat and cta for example. For this to work, one would have to be able to write to the victim's home directory, and - of course - the victim would have to make that typo. And it only works when targeting a user, not the computer itself. I would consider it something handy, in case you don't have write access outside your home directory, so you can use your own executables, that can be executed without adding the full path. In my opinion this bug|feature|exploit doesn't pose any threat to system security. Actually that . has been there since the very first version of skel/dot.profile CVS check in. Glenn
Re: why is there . [dot] in default PATH?
On Tue, Apr 04, 2006 at 09:15:58PM +0200, RedShift wrote: [...] Other people were discussing cat and cta for example. For this to work, one would have to be able to write to the victim's home directory, Do you never cd out of your home? Ciao Kili
Re: why is there . [dot] in default PATH?
On Tue, 2006-04-04 at 21:15 +0200, RedShift wrote: I cannot see how this would be exploitable. root doesn't have . in it's PATH. Other people were discussing cat and cta for example. For this to work, one would have to be able to write to the victim's home directory, and - of course - the victim would have to make that typo. And it only works when targeting a user, not the computer itself. I would consider it something handy, in case you don't have write access outside your home directory, so you can use your own executables, that can be executed without adding the full path. In my opinion this bug|feature|exploit doesn't pose any threat to system security. Actually that . has been there since the very first version of skel/dot.profile CVS check in. Glenn Can see your point here, but I prefer to play on the paranoid side of fence hence my dislike of this. I'm not sure it should be there by default, rather if you like it you should add it. Jon
Re: why is there . [dot] in default PATH?
--- Matthias Kilian [EMAIL PROTECTED] wrote: On Tue, Apr 04, 2006 at 09:15:58PM +0200, RedShift wrote: [...] Other people were discussing cat and cta for example. For this to work, one would have to be able to write to the victim's home directory, Do you never cd out of your home? No, he never goes out. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: why is there . [dot] in default PATH?
On Tue, Apr 04, 2006 at 08:56:39PM +0100, Jon Kent wrote: Can see your point here, but I prefer to play on the paranoid side of fence hence my dislike of this. I'm not sure it should be there by default, rather if you like it you should add it. Inexperienced users might add it to the beginning of PATH, so having it at the end by default is a reasonable compromise. Anyone with enough experience to know why they want it removed also has enough experience to remove it themselves. Regards, Andrew Dalgleish
Re: why is there . [dot] in default PATH?
Hi! On Tue, Apr 04, 2006 at 09:15:58PM +0200, RedShift wrote: [...] I cannot see how this would be exploitable. root doesn't have . in it's PATH. Other people were discussing cat and cta for example. For this to work, one would have to be able to write to the victim's home directory, and - of course - the victim would have to make that typo. And it only works when targeting a user, not the computer itself. 1. IIRC sudo keeps $PATH 2. Both as root and as me, I sometimes cd to /tmp or /var/tmp I would consider it something handy, in case you don't have write access outside your home directory, so you can use your own executables, that can be executed without adding the full path. For that, I routinely add $HOME/bin to the path and put my own stuff (mostly shell scripts though) there. In my opinion this bug|feature|exploit doesn't pose any threat to system security. And in my opinion, it does. What about secure by default? If you want it less secure/paranoid, you can still change it yourself. Kind regards, Hannah.
Re: why is there . [dot] in default PATH?
Hi! On Wed, Apr 05, 2006 at 07:35:32AM +1000, Andrew Dalgleish wrote: On Tue, Apr 04, 2006 at 08:56:39PM +0100, Jon Kent wrote: Can see your point here, but I prefer to play on the paranoid side of fence hence my dislike of this. I'm not sure it should be there by default, rather if you like it you should add it. Inexperienced users might add it to the beginning of PATH, so having it at the end by default is a reasonable compromise. For that it'd be enough to have a line with dot at the end of the path in there, commented out, perhaps with a line like #If you really want the current directory in your path, you should #at least add it at the end, like this: #PATH=foo:bar:. ^^^ Here copy the path you set by default, w/o . Anyone with enough experience to know why they want it removed also has enough experience to remove it themselves. Secure by Default. Regards, Andrew Dalgleish Kind regards, Hannah.
Re: why is there . [dot] in default PATH?
--- Hannah Schroeter [EMAIL PROTECTED] wrote: Hi! On Wed, Apr 05, 2006 at 07:35:32AM +1000, Andrew Dalgleish wrote: On Tue, Apr 04, 2006 at 08:56:39PM +0100, Jon Kent wrote: Can see your point here, but I prefer to play on the paranoid side of fence hence my dislike of this. I'm not sure it should be there by default, rather if you like it you should add it. Inexperienced users might add it to the beginning of PATH, so having it at the end by default is a reasonable compromise. For that it'd be enough to have a line with dot at the end of the path in there, commented out, perhaps with a line like #If you really want the current directory in your path, you should #at least add it at the end, like this: #PATH=foo:bar:. ^^^ Here copy the path you set by default, w/o . Anyone with enough experience to know why they want it removed also has enough experience to remove it themselves. Secure by Default. Regards, Andrew Dalgleish Kind regards, Hannah. If my suggestion is completely ridiculous, sorry. But, if . is removed from the default path, wouldn't it make sense to add in a comment in afterboot (8)? It does seem to be a deviation from the way that the other *nix's have there defaults. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: why is there . [dot] in default PATH?
That is not a . in the sense of the current directory. .profile is a hidden directory and the . prefix denotes this... Josh - Original Message - From: Jon Kent [EMAIL PROTECTED] To: misc@openbsd.org Sent: Monday, April 03, 2006 3:10 PM Subject: why is there . [dot] in default PATH? Hi, This one kinda supprised me. When I was looking around by new 3.8 install I noticed that in /etc/skel/.profile that PATH contains a . in it, which I found supprising as I've always assumed that this was not a sensible thing to do. I've taken it out as I'm not too happy when having the current directory in the path. Any ideas why this is there? Thanks Jon
Re: why is there . [dot] in default PATH?
Jon Kent wrote: This one kinda supprised me. When I was looking around by new 3.8 install I noticed that in /etc/skel/.profile that PATH contains a . in it, which I found supprising as I've always assumed that this was not a sensible thing to do. I've taken it out as I'm not too happy when having the current directory in the path. Any ideas why this is there? As long as it is at the end of your PATH it's not that bad. # Han
Re: why is there . [dot] in default PATH?
Hello! On Mon, Apr 03, 2006 at 11:51:17PM +0200, Han Boetes wrote: ...[ . in the path ...] As long as it is at the end of your PATH it's not that bad. I disagree. Because that makes exploiting typos possible. (cat - cta *oops*, for example) Kind regards, Hannah.
Re: why is there . [dot] in default PATH?
On 4/3/06, Josh Caster [EMAIL PROTECTED] wrote: That is not a . in the sense of the current directory. .profile is a hidden directory and the . prefix denotes this... What did you smoke? .profile is not a directory and that line DOES add . to your PATH. And I always learned that was a unsafe thing to do. Wijnand -- OpenBSD needs your help improving the softwareworld, please donate: http://openbsd.org/donations.html Yes big code using companies, that includes you!
Re: why is there . [dot] in default PATH?
On 4/3/06, Han Boetes [EMAIL PROTECTED] wrote: Jon Kent wrote: This one kinda supprised me. When I was looking around by new 3.8 install I noticed that in /etc/skel/.profile that PATH contains a . in it, which I found supprising as I've always assumed that this was not a sensible thing to do. I've taken it out as I'm not too happy when having the current directory in the path. Any ideas why this is there? As long as it is at the end of your PATH it's not that bad. unless you have a habit of typing sl in /tmp... :)
Re: why is there . [dot] in default PATH?
On 4/3/06, Han Boetes [EMAIL PROTECTED] wrote: Jon Kent wrote: This one kinda supprised me. When I was looking around by new 3.8 install I noticed that in /etc/skel/.profile that PATH contains a . in it, which I found supprising as I've always assumed that this was not a sensible thing to do. I've taken it out as I'm not too happy when having the current directory in the path. As long as it is at the end of your PATH it's not that bad. That's good to know. I never even noticed that before. Also: root never gets . in $PATH, right? -Nick