Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!zaphod.mps.ohio-state.edu!mips!news.cs.indiana.edu!bsu-ucs.uucp!bsu-cs!sam
From: sam@bsu-cs.bsu.edu (B. Sam Blanchard)
Newsgroups: comp.unix.admin
Subject: Re: Mysterious security hole
Message-ID: <12714@bsu-cs.bsu.edu>
Date: 17 Jun 91 17:22:54 GMT
References: <91161.131540SCHDAVZ@YaleVM.YCC.Yale.Edu> <70@pyuxf.UUCP>
Reply-To: sam@bsu-cs.UUCP (B. Sam Blanchard)
Organization: Ontario Systems Corporation
Lines: 23

In article <70@pyuxf.UUCP> mal1@pyuxf.UUCP (25337-maureen lecuona) writes:
>The security hole having to do with "." being anywhere but last
>in the PATH is due to the following scenario:
>
>Let the following be true:
>PATH=.:/bin:/usr/bin:/etc
>
>Maureen Lecuona
>Integrated Business Solutions, Inc.

Here's a nice and fairly simple way to improve security.
PATH=/bin:/usr/bin:/etc
then, to execute something in the local directory usr ./command or a full path.
Since non-standard commands as root are "evil" this occasional laps is not as
hard as it may appear.  If you have local commands then create /usr/local/etc
and include this in your path.
WARNING:  do not include a : at the start or end of your PATH.  try it ;-)

-- 
B. Sam Blanchard UUCP:  <backbones>!{iuvax,pur-ee}!bsu-cs!sam
                 ARPA:  sam@bsu-cs.bsu.edu
3207 W. Devon Rd         (317) 741-4500   work
Muncie, IN 47304