Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!think.com!mintaka!ogicse!pochmara
From: pochmara@ogicse.ogi.edu (John Pochmara)
Newsgroups: comp.unix.admin
Subject: Re: Mysterious security hole
Message-ID: <22940@ogicse.ogi.edu>
Date: 17 Jun 91 15:45:35 GMT
References: <91161.131540SCHDAVZ@YaleVM.YCC.Yale.Edu> <70@pyuxf.UUCP> <319@dlss2.UUCP>
Organization: Oregon Graduate Institute (formerly OGC), Beaverton, OR
Lines: 26

In article <319@dlss2.UUCP> james@dlss2.UUCP (James Cummings) writes:
>>In article <70@pyuxf.UUCP> mal1@pyuxf.UUCP (25337-maureen lecuona) writes:
>>The security hole having to do with "." being anywhere but last
>>in the PATH is due to the following scenario:
>This is not what I would term a "security hole".  This is quite
>fixable, and should be by most competent administrators.  I would term this
>as one of many stupid (too harsh?) things that vendors of OSs do when they
>ship their product.  

	This *is* a "security hole".  Some directories are world
	writable, have to be. ie. /tmp and /usr/tmp.  

	Say you create randow file in /tmp, then you cd there and 
	do an 'ls'.  And someone else has put a program named 'ls' 
	in /tmp. And if '.' is at the beging of your path, you have 
	just exucuted something you did not intend to execute.  
	I would call this a "security hole".
	I did see how this could be seen as 'one of many stupid 
	(too harsh?) things that vendors of OSs do when they ship 
	their product'.

	In short '.' should NOT be in roots' PATH and should be
	at the end, if at all, is users PATH.

		--John Pochmara
		  pochmara@cse.ogi.edu