Path: utzoo!mnetor!uunet!lll-winken!lll-lcc!ames!pasteur!ucbvax!ucsfcgl!cca.ucsf.edu!root
From: root@cca.ucsf.edu (Computer Center)
Newsgroups: comp.unix.xenix
Subject: Re: Some questions.
Message-ID: <1145@ucsfcca.ucsf.edu>
Date: 28 Jan 88 08:07:12 GMT
References: <2281@gryphon.CTS.COM>
Organization: Computer Center, UCSF
Lines: 22
Summary: at least put it at the end

In article <2281@gryphon.CTS.COM>, wrm@pnet02.cts.com (William Mattil) writes:
> 
>         From a security stanpoint, it is not a good idea to include the
> current directory (.) in the PATH for root.
> 

Whatever you do, don't put  .  in root's PATH before the usual directories
which could cause you (as root) to execute, let's say "ls" and get some
total stranger. For example, a script in that directory like

    chown root file
    chmod 4777 file
    ls $*

and you have just created a trojan horse for someone _and_don't_even_
_know_anything_has_happened_.

Thos Sumner       (thos@cca.ucsf.edu)   BITNET:  thos@ucsfcca
(The I.G.)        (...ucbvax!ucsfcgl!cca.ucsf!thos)

OS 2 -- the Operating System for puppets.

#include <disclaimer.std>