Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!ucbvax!PHY.DUKE.EDU!rgb From: rgb@PHY.DUKE.EDU ("Robert G. Brown") Newsgroups: comp.sys.sgi Subject: Re: . in $path Message-ID: <9004121536.AA19375@physics.phy.duke.edu> Date: 12 Apr 90 15:36:28 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 41 That one is an easy one. IF you leave . in your path as root AND if a clever, malicious user exists on your system THEN they can, in principle, do something like create "Trojan Horse" versions of things like su or ls in their home directories. IF you should ever be (as root) in their home directories and use one of these commands, THEN they can do anything at all they wish with root privileges, including replacing the real su command and/or login command with ones that mail copies of the user passwd's every times someone logs in to the malefactor. It is actually sufficient to simply put the . LAST in the root path, at least for a "low security" system where you "trust" most of your users. In that way, you will always execute the real binary first even if a user has left a TH. They can always leave mistyped traps (sl for ls, us for su) but their odds of success go way down and besides, in a department (as opposed to a "public" facility) who is going to try this anyway. Along the same lines, members of wheel should NEVER su to root anywhere except in a "neutral" directory (like /usr/bin or /etc) where a user would already have to have been root to leave a TH or in their own home directory. This is because . is traditionally the first directory searched on a users path, and if Joe Administrator, as himself, tries to su to root in Harry Hacker's home directory then he really will search Harry's directory for a version of su first. I personally used to leave it last, but now I have removed it on general principles. It isn't that big a deal to type ./command instead of command on the few occasions I execute a script or binary not already on the SAFE root path. Dr. Robert G. Brown System Administrator Duke University Physics Dept. Durham, NC 27706 (919)-684-8130 Fax (24hr) (919)-684-8101 rgb@phy.duke.edu rgb@physics.phy.duke.edu