[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

To Atul and Thaths

Subject: To Atul and Thaths
From: BGanesh <BGa@xxxxxxxxxxxxx>
Date: Thu, 01 Jul 1999 14:50:04 +0530

Hi,
	in response to a question abt executing C programs under Linux, with
reference to putting the current directory in the path, Atul remarked :

> On a Unix system, that is akin to suicide. You may believe it makes 
> life easier, but in reality you are defeating the safety mechanism.

In the same thread, in response to a query,  Thaths clarified :

> What if J. Malicious Cracker broke into your system and placed a 
> program called 'ls' in some directory?  If '.' precedes other 
> directories in your $PATH you would be running Malicious's ls instead 
> of the system ls when you run ls in the directory where J.M.C's ls is 
> located.  And J.M.C's ls could be doing unspeakable things to your 
> machine.

> This problem is compounded a few times if root is the user with '.' in
> their $PATH.  Seasoned system admins have learnt to type the full path 
> of the various commands.

And I did read elsewhere that this is a security breach. But I wasn't
able to find out much more. So here are the questions :

Thaths assumes (and states so) that this is an issue if the '.' precedes
the other paths. If '.' is the last in entry in for the $PATH then is it
considered fixed?

Also, if J.M.C was smart enough (or my system insecure enough) to get
into my directory and put 'ls' or whatever in my directory, the system
(or atleast the parts I / J.M.C have access to) is as good as bombed
anyways, so what is your point?

Again as root, if '.' is the last entry, then the correct version from
bin would kick in, would it not. Alt, if it is a new and untried program
that is sitting in the directory the I have no business to run it as
root anyways, regardless of whether I execute it as ./proggy or
/usr/home/username/proggy (or whatver the path is). If these are
considered then how does the '.' provide a gateway to disaster... ?

Thx
BGa

- --------------------------------------------------------------------
For more information on Linux in India visit http://www.linux-india.org/

------------------------------

Prev by Subject: This should work.
Next by Subject: Re: To Atul and Thaths
Previous by thread: Re: CD writing under Linux
Next by thread: Re: To Atul and Thaths
Index(es):
- Subject
- Thread