On Fri, 29 Dec 2000, Jeff Waugh wrote:
> Extra credit for the person who explains why '.' isn't in everyone's $PATH
> by default.
Security, of course.
The simpliest way to plant a trojan is to write one which creates another
version of a commonly used file - such as ls - and place it in a directory
which it can be used from.
Since all users can write to their own home directory, a hacker plants
such a trojan in the home directory, sets the appropriate permissions, and
viola - security hole.
If the user is of suitable privaledge level on the system, this can lead
to root privs being gained, then the system is wide open.
How'd I do, teach? :-)
DaZZa
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
