Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!agate!bionet!apple!bloom-beacon!tut.cis.ohio-state.edu!osu-cis!att!ihlpb!gregg From: gregg@ihlpb.ATT.COM (Wonderly) Newsgroups: comp.unix.questions Subject: Re: ????? HELP!!! what is wrong with this code? ??????? Message-ID: <8958@ihlpb.ATT.COM> Date: 19 Oct 88 14:57:54 GMT References: <8703@smoke.BRL.MIL> Organization: AT&T Bell Laboratories - Naperville, Illinois Lines: 42 From article <8703@smoke.BRL.MIL>, by gwyn@smoke.BRL.MIL (Doug Gwyn ): > In article <10146@cup.portal.com> thad@cup.portal.com (Thad Thad Floryan) writes: >>Doug Gwyn writes: "It is not wise to have the current directory early >>in the PATH directory list." >>Doug, would you please expand upon your statement (above)? I feel others >>besides myself would appreciate knowing the hidden (?) pitfalls. > > $ cat > /tmp/ls > ... > ^D > $ chmod +x /tmp/ls > > Sometime later the victim comes along and does: > > $ cd /tmp > $ ls > > It seems to work fine; there is no sign of anything suspicious, > except the system seems to be busy doing something now... Some time ago, this whole discussion came up and I posted a note about a solution that a friend of mine (Mark Vasoll, vasoll@a.cs.okstate.edu) came up with that I now use in my shell. I use a variable called, dotpath, that contains a list of directory prefixes under which '.' is valid. A '!' in front of a path explicitly invalidates it. Currently I use "dotpath=!~/rje:~". Anytime that an executable is in '.', and '.' is not valid as described by dotpath, that executable is ignored. If it is the only executable by that name that is in one of the PATH directories, you get the diagnostic; : current directory not safe where prog is the name of the command/executable/script. I find this quite reassuring to have. Currently, my account here is on an amdahl maxi which has more logins than I can ever know the owners of. I don't really want to run around covering my backside for every move when the computer can do it for me. I have yet to come up against a trojan horse (that is also reassuring). -- Gregg Wonderly AT&T Bell Laboratories DOMAIN: gregg@ihlpb.att.com IH2D217 - (312) 979-2794 UUCP: att!ihlpb!gregg