Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!newstop!exodus!ichthous.Eng.Sun.COM!mcgrew
From: mcgrew@ichthous.Eng.Sun.COM (Darin McGrew)
Newsgroups: comp.unix.shell
Subject: Re: Dot in PATH?
Message-ID: <6574@exodus.Eng.Sun.COM>
Date: 24 Jan 91 21:44:36 GMT
References: <1991Jan24.203423.25084@ux1.cso.uiuc.edu>
Sender: news@exodus.Eng.Sun.COM
Distribution: comp
Organization: Sun Microsystems, Mt. View, Ca.
Lines: 23

jeffb@aquifer.las.uiuc.edu (Jeffrey Biesiadecki) writes:
>In a recent flame war in alt.sources, it was said that it was a bad idea
>to have '.' in your $PATH variable (I use tcsh, or csh, probably this
>would apply for any shell).  What's wrong with doing this?

If you have '.' early in your search path, and you cd into a
directory that is writable by other people, then you are
vulnerable to trojan horses.  Someone can create a dummy version
of some commonly used command, you can execute it instead of the
real version, and when you execute it, the dummy version can do
any number of things that you wouldn't want it to do.

The risk involved depends on how often you cd into publicly
writable directories, hostile your environment is, and what
privileges you have that others might be interested in.
Personally, I have '.' in my path when I'm myself, but not when
I'm root.

                 Darin McGrew     "The Beginning will make all things new,
           mcgrew@Eng.Sun.COM      New life belongs to Him.
       Affiliation stated for      He hands us each new moment saying,
identification purposes only.      'My child, begin again....
				    You're free to start again.'"