Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!usc!ucsd!ucbvax!pasteur!noble From: noble@ICSI.Berkeley.EDU (Brian Noble) Newsgroups: comp.unix.admin Subject: Re: Mysterious security hole Message-ID: <14086@pasteur.Berkeley.EDU> Date: 13 Jun 91 00:01:14 GMT References: <91161.131540SCHDAVZ@YaleVM.YCC.Yale.Edu> Sender: news@pasteur.Berkeley.EDU Organization: International Computer Science Institute, Berkeley, CA Lines: 38 In article cgd@ocf.Berkeley.EDU (Chris G. Demetriou) writes: >In article <91161.131540SCHDAVZ@YaleVM.YCC.Yale.Edu> SCHDAVZ@YaleVM.YCC.Yale.Edu (Dave Schweisguth) writes: >> >>This probably isn't so mysterious, but the subject line has got to be zippy or >>nobody'll read my post. > >not so mysterious...and people would probably read it...but here's a response. >> >>The 'login' command initializes PATH with (among other useful directories) >>'.'. 'su' leaves '.' out. A footnote to a Unix book I have here hints at a >>security hole involving the _position_ of '.' in PATH, claiming that having >>'.' first is dangerous. It doesn't say why. > >Having . first in a path can in fact be dangerous... > [a good explaination of why the . first is bad deleted] > >cgd >cgd@ocf.Berkeley.EDU >OCF Staff - But these words are mine, *ALL MINE*... > The PATH = (. /bin ...) problem is only a special case of a more general problem, to wit: the thing you are executing may not be in just the place you thought it may have been. Most manual sets have a section on security (at least the SunOS one does) and they are Highly Recommended Reading (tm) for anyone who has the slightest responsibility for administering a system. One of the things the Sun manual says (which I have really taken to heart) will eliminate this strange executable location problem alltogether: always use _full_ pathnames, i.e. they start with a / and are really long. Brian noble@tenet.berkeley.edu "Just because I'm paranoid doesn't mean one of my users isn't up to something"