Newsgroups: comp.unix.admin Path: utzoo!utgpu!jmason2 From: jmason2@gpu.utcs.utoronto.ca (Jamie Mason) Subject: Re: dot in path (was Re: Mysterious security hole) Message-ID: <1991Jun20.023256.12713@gpu.utcs.utoronto.ca> Organization: University of Toronto Computer Services Advisor References: <91161.131540SCHDAVZ@YaleVM.YCC.Yale.Edu> <70@pyuxf.UUCP> <319@dlss2.UUCP> <22940@ogicse.ogi.edu> <1991Jun19.191124.20380@cs.utk.edu> Date: Thu, 20 Jun 1991 02:32:56 GMT In article <1991Jun19.191124.20380@cs.utk.edu> Dave Sill writes: >Now suppose the user calls up the system administrator, who is known >to remain su'd to root most of the time, and requests help with make. >The user explains that when he updates a file, make fails to rebuild >everything it should. The admin scans the Makefile, does an ls or >two, touches some files, checks the date, etc. Of course, he's >careful not to run "make" or the user's program, and he's left dot out >of his path. Eventually, he sees that a filename is mispelled, or >that there's a missing dependency, or whatever. The user thanks him, >and that's that. Right? > >Unless the admin happened to mistype "date" as "dtae" at some point. Of course, the administator's mistake was *not* that he had "." in is path. His mistake was that he helped a user with a problem with their personal files *as root*. What he/she should have done is su'ed to the user with the problem, then used *that* shell to solve the problem. Remember that root can su to anyone *without* entering a password. By poking around the user's files *AS THE USER*, there is no chance of accidentally executing something nasty as root. In fact only *ever* execute commands as root that you really *have to*. Su to an appropriate, weaker, userid to do anything else. AND put "." last in the path, if at all. Jamie ... Lurker in the Process Table Written On Wednesday, June 19, 1991 at 10:29:38pm EDT