Path: utzoo!hoptoad!amdcad!apple!bionet!bloom-beacon!tut.cis.ohio-state.edu!mailrus!ames!elroy!spl1!laidbak!katzung
From: katzung@laidbak.UUCP (Brian Katzung)
Newsgroups: alt.sources
Subject: Re: login(1) replacement
Summary: One "nit"; one security hole
Keywords: lint, trojan horses
Message-ID: <1776@laidbak.UUCP>
Date: 11 Nov 88 18:29:41 GMT
References: <8549@rpp386.Dallas.TX.US>
Reply-To: katzung@laidbak.UUCP (Brian Katzung)
Organization: Lachman Associates, Inc., Naperville, Illinois
Lines: 11

SECURITY HOLE:
	Putting ':' at the beginning of the path is just
	*ABSOLUTELY BEGGING* for Trojan Horses.  Always put '.'
	search at the end if you must put it in at all.

	This goes for things like exec?p() too.

Nit:	The login() routine has one formal parameter (login.c) but
	gets called with two arguments (main.c).

 -- Brian Katzung