Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ames!oliveb!3comvax!bridge2!mbt From: mbt@bridge2.3Com.Com (Brad Turner) Newsgroups: comp.unix.questions Subject: Re: ????? HELP!!! what is wrong with this code? ??????? Message-ID: <131@bridge2.3Com.Com> Date: 19 Oct 88 05:48:40 GMT References: <456@mrsvr.UUCP> Organization: 3Com Corp., Mt. View, CA Lines: 67 Sender: Reply-To: mbt@bridge2.3Com.com (Brad Turner) Followup-To: Distribution: world Organization: 3Com Corp., Mt. View, CA Keywords: In article <10146@cup.portal.com> thad@cup.portal.com (Thad Floryan) writes: >Doug Gwyn writes: "It is not wise to have the current directory early >in the PATH directory list." > >Though I like UNIX' flexibility in establishing/using paths, I've seen >systems that always ASSUMED the current directory BEFORE traipsing down >the path (I find such assumptions odious). > >Doug, would you please expand upon your statement (above)? I feel others >besides myself would appreciate knowing the hidden (?) pitfalls. > >Thank you! > > >Thad Floryan [ thad@cup.portal.com (OR) ..!sun!portal!cup.portal.com!thad ] Often users leave the permissions on their home directory ``open'' so that others can put files there, or whatever. The point being since the sys admin (root) doesn't own the cwd (most likely) a possible security breech may occur. Below is the psuedo code for a trojan that might be planted in a users home directory under the name ``ls'' which the user more than likely will execute. --------psuedo for ls trojan-------- echo releastic looking error message (eg "no more inodes logging user off") echo identical login string read user id echo password prompt read password for user echo sorry incorrect login type message mail/copy/move user id & password to rogue person implementing this trojan rm ls trojan from cwd kill parent process and self (the login shell is most likely parent ) ------------------------------------ Of course this is limited in that one has to be able to login to the system first in order to do this, but it still represents a possible security breach. Use your imagination I'm sure you can come up with better/more-intresting/devious/harmful abuses. Specifically the pretense is to get a user to execute your trojan instead of the real live unix command. I've never seen any real harmful abuse of security, mostly it was stuff like harrasing the intro cs students. story: an instructor told his intro class to alter their path putting ``.'' first so that csh wouldn't have to search as far down the path. Obviously he wasn't familar with the csh. None the less the upper level students had lots of fun mucking with the intro students making "ls" and a host of other unix commands not work. The instructor really ended up with egg all over his face and some upper students got a stern scolding. -brad- an ex. sys. admin. -- v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v Brad Turner 1330 Ashleybrook Ln. (919) 768-2097 | I speak for myself 3Com Corp. Winston-Salem, NC 27103 mbt@bridge2 | NOT for my employer.