Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!caip!pyrnj!mirror!rayssd!dpw
From: dpw@rayssd.UUCP (Darryl P. Wagoner)
Newsgroups: net.unix
Subject: Re: Re: Secure PATH
Message-ID: <122@rayssd.UUCP>
Date: Sat, 30-Aug-86 22:12:58 EDT
Article-I.D.: rayssd.122
Posted: Sat Aug 30 22:12:58 1986
Date-Received: Sun, 31-Aug-86 02:28:16 EDT
References: <184@ablnc.UUCP> <5991@alice.uUCp>
Sender: dpw@rayssd.UUCP (Darryl P. Wagoner @ Raytheon Co., Portsmouth RI)
Organization: Raytheon Co., Portsmouth RI
Lines: 26

> > In my .profile, I have eliminated the beginning : in my path. If a
> > program to be executed is not in a directory indicated in my PATH,
> > I execute it by "./". This is not a BIG hurdle but it is more
> > secure.
> 
> If you put the current directory at the end of the search path,
> the hassle is much less and the advantage is almost as great.

I have to agree.  It is not very effective to put a Trojan Horse called
some-strange-name in a writeable directory.  If a person is that dumb 
enough to execute an unknowned program ....  Well you can fill in the rest.
Besides you don't "cd" into a directory and execute some program you don't 
even know the name of.  The point is that for a Trojan Horse to be successful
it should be a command that a person will execute upon entering a directory,
namely "ls".
--

Save ihnp4! Mail around it.

-- 
	Darryl Wagoner
	Raytheon Co.; Portsmouth RI; (401)-847-8000 x4089

best path             {allegra|gatech|mirror|raybed2}  ---------\
next best             {linus|ihnp4|pyrbos} ---------------------->!rayssd!dpw
if all else fails     {brunix|cci632} -------------------------/