Path: utzoo!utgpu!news-server.csri.toronto.edu!news-server.ecf!me!sun
Newsgroups: comp.unix.admin
From: sun@me.utoronto.ca (Andy Sun)
Subject: Re: Mysterious security hole
Message-ID: <91Jun21.071531edt.18756@me.utoronto.ca>
Organization: U of Toronto, Dept. of Mechanical Engineering
References: <91161.131540SCHDAVZ@YaleVM.YCC.Yale.Edu> <52@bvnews1.bv.tek.com>
Date: 21 Jun 91 11:15:44 GMT

mike@raven.bv.tek.com (Michael Ewan) writes:

>Having . in your path (especially root's) is dangerous because someone could put
>a trojan horse program in / (or your home dir) that would execute instead of the
>system command of the same name.  For example:  someone could put a command in / and
>call it 'ls', that was acctually a shell script that did rm -fr /' you'd have a real
>problem.  So if you have . in your path you put it last so destructive shell
>scripts can't masquerade as system commands.  That is you'll get /bin/ls instead
>of ./ls.

If this is really the case, I am more interested in how that "someone" can write
to /, rather than my having '.' at the beginning of my path. There is obviously
a bigger security hole somewhere on the system than this if some non-admin
people can write to /.

Andy

_______________________________________________________________________________
Andy Sun                            | Internet: sun@me.utoronto.ca
University of Toronto, Canada       | UUCP    : ...!utai!me!sun
Dept. of Mechanical Engineering     | BITNET  : sun@me.toronto.BITNET