Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!yale!venus!yalevm!schdavz
From: SCHDAVZ@YaleVM.YCC.Yale.Edu (Dave Schweisguth)
Newsgroups: comp.unix.admin
Subject: Mysterious security hole
Message-ID: <91161.131540SCHDAVZ@YaleVM.YCC.Yale.Edu>
Date: 10 Jun 91 17:15:40 GMT
Organization: Yale University
Lines: 19

This probably isn't so mysterious, but the subject line has got to be zippy or
nobody'll read my post.
 
The 'login' command initializes PATH with (among other useful directories)
'.'. 'su' leaves '.' out. A footnote to a Unix book I have here hints at a
security hole involving the _position_ of '.' in PATH, claiming that having
'.' first is dangerous. It doesn't say why.
     These add up to something screwy with '.'. Can someone explain why root/
Joe User ought/ought not have '.' in his/her path, and if so should it be
first, last, or anywhere, and (this is the good part) why? The system is an
SGI Personal Iris, IRIX v3.3.2, if it matters.
 
This may well be an FAQ (the book certainly seems to think so) but I haven't
found an FAQ list. If there is one, please let me know. Thanks!
 _____________________________________________________________________________
/                                                                             \
|   Dave Schweisguth               5386 Yale Station           203-436-2694   |
|   schdavz@yalevm.ycc.yale.edu    New Haven, CT 06502-5386                   |
\_____________________________________________________________________________/