Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!cs.utexas.edu!rutgers!att!cbnews!junk1 From: junk1@cbnews.cb.att.com (eric.a.olson) Newsgroups: comp.unix.admin Subject: Re: Mysterious security hole Message-ID: <1991Jun23.125703.24767@cbnews.cb.att.com> Date: 23 Jun 91 12:57:03 GMT References: <1991Jun21.203054.989@serval.net.wsu.edu> <1991Jun22.220635.17145@rock.concert.net> Organization: AT&T Bell Laboratories Lines: 45 In article jc@raven.bu.edu (James Cameron) writes: >>>>>> On 22 Jun 91 22:06:35 GMT, mcmahan@cs.unca.edu (Scott McMahan) said: > >Scott> In article <1991Jun21.203054.989@serval.net.wsu.edu> yeidel@tomar.accs.wsu.edu (Joshua Yeidel) writes: >>>The example of having something in / is bad for obvious reasons. But >>>what about /tmp? A script named say "la" (common type of "ls") which >>>does a chmod 777 /, sends mail to the person and then echos >>>"la: Command not found" would do the job nicely. >> >>Is /tmp in your path? Why? > >Scott> I wondered that myself. > > >Why were talking about '.' being in your path. So, if your >current directory is /tmp and even if '.' is last in your >path.... > >You figure out the trojan horse here... > >jc No, I thought we were talking about using *reasonable* security measures, especially when running as root. Jamie Mason voiced my sentiments: > In fact only *ever* execute commands as root that you really >*have to*. Su to an appropriate, weaker, userid to do anything else. >AND put "." last in the path, if at all. The scenarios posted by various individuals assume at least one of the following: 1. A system directory in root's PATH is left writeable 2. Root is foolish or inexperienced enough to do more than what absolutely *requires* root privilege 3. Root is foolish or inexperienced enough to cd to do: cd dir; ls rather than ls dir hmmph. probably also does 'pwd' to make sure the 'cd' worked. I'm not advocating putting '.' in root's path. I don't. But that's because I fear unexpected consequences of running *any* random commands as root, not because I fear that somebody might leave a trojan horse in a directory.