Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 6/24/83; site umcp-cs.UUCP Path: utzoo!linus!gatech!seismo!umcp-cs!chris From: chris@umcp-cs.UUCP (Chris Torek) Newsgroups: net.unix-wizards Subject: Re: Please do NOT use "/bin/test" as a command name Message-ID: <2514@umcp-cs.UUCP> Date: Tue, 10-Dec-85 09:39:39 EST Article-I.D.: umcp-cs.2514 Posted: Tue Dec 10 09:39:39 1985 Date-Received: Wed, 11-Dec-85 21:59:33 EST References: <313@bdaemon.UUCP> <13400016@mirror.UUCP> <1016@sdcsla.UUCP> <1019@utcs.uucp> <11193@ucbvax.BERKELEY.EDU> Organization: U of Maryland, Computer Science Dept., College Park, MD Lines: 34 [PATH=/foo:/bar:/baz; export PATH] In article <11193@ucbvax.BERKELEY.EDU> cc-06@ucbcory.BERKELEY.EDU (Ilya Goldberg) writes: > no one is trying to save cpu time by doing what they are doing. > Just think of what would happen if the user doesn't have the right > things in his/her path variable or no path at all! Then nothing works at all, so why worry about that case? > Also, I would love to try to break into a system kept secure by > your shell scripts which do not contain absolute path names. Who uses setuid shell scripts? (Actually, I have on one machine a shell script that is run privileged by a separate setuid C program, which verifies the user first; and the script is relatively careful.) > I would do exactly what you suggest - substitute my own versions of > rm, mv, etc so that when a set-u-id root shell script tries to > execute one of those, UNIX will take the version in my directory. Putting in full path names is not the solution---suppose I change $IFS? > So, when writing programs/shell scripts which call other programs > do include full path names, preferrably in a place where they are > easily found and can be easily modified (e.g. ".h" files). Include *paths*, not full path *names*. There is a difference. See `man execvp' and `man execlp'. -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 4251) UUCP: seismo!umcp-cs!chris CSNet: chris@umcp-cs ARPA: chris@mimsy.umd.edu