Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!newstop!west!texsun!csccat!dalnet!dlss2!james
From: james@dlss2.UUCP (James Cummings)
Newsgroups: comp.unix.admin
Subject: Re: Mysterious security hole
Message-ID: <319@dlss2.UUCP>
Date: 15 Jun 91 23:07:39 GMT
References: <91161.131540SCHDAVZ@YaleVM.YCC.Yale.Edu> <70@pyuxf.UUCP>
Organization: RedRock Development
Lines: 22

In article <70@pyuxf.UUCP> mal1@pyuxf.UUCP (25337-maureen lecuona) writes:
 |The security hole having to do with "." being anywhere but last
 |in the PATH is due to the following scenario:
 |
 	[deleted]
 |PATH=.:/bin:/usr/bin:/etc
 |
 |Then if someone has put a trojan anywhere in the /dir which masquerades
 |as a legitimate command, ie: df, diff, or any other frequently used
 |command, the fake version will be used instead of the /bin or /usr/bin
 |version, because it will be found first in the search for the executable.....

Maureen,

	This is not what I would term a "security hole".  This is quite
fixable, and should be by most competent administrators.  I would term this
as one of many stupid (too harsh?) things that vendors of OSs do when they
ship their product.  Very similar to shipping the OS without a root password
or any other number of vendor/administative login ids that come without a
password.  This I can sort of even see their point on, but again it falls to
the administrator to see that these things are put in proper form before
the system is given over to user consumption.