[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
Re: To Atul and Thaths
- Subject: Re: To Atul and Thaths
- From: manas garg <manasg@xxxxxxx>
- Date: Thu, 1 Jul 1999 19:09:38 +0530 (IST)
On Thu, 1 Jul 1999, BGanesh wrote:
> Hi,
>
> Thaths assumes (and states so) that this is an issue if the '.' precedes
> the other paths. If '.' is the last in entry in for the $PATH then is it
> considered fixed?
>
> Also, if J.M.C was smart enough (or my system insecure enough) to get
> into my directory and put 'ls' or whatever in my directory, the system
> (or atleast the parts I / J.M.C have access to) is as good as bombed
> anyways, so what is your point?
>
> Again as root, if '.' is the last entry, then the correct version from
> bin would kick in, would it not. Alt, if it is a new and untried program
> that is sitting in the directory the I have no business to run it as
> root anyways, regardless of whether I execute it as ./proggy or
> /usr/home/username/proggy (or whatver the path is). If these are
> considered then how does the '.' provide a gateway to disaster... ?
Ok, Let's take a simple example:
I have fight with my sys admin and I decide to wreak havoc on the system.
I write a small shell script with the only line as
rm -R .*
case 1: $PATH of root starts with '.'
I name this script ls and put it in /tmp directory as I have write
permissions there. A nice sys admin who does a little system admin work
will certainly do 'ls' in '/tmp' and the system will be a history......
;-)
Strike Rate 100%. (Atul mentioned 'suicide'. I think he was right.)
Hence proved!!
case 2: $PATH of root ends with '.'
I make a lot of copies of this file and name them ls, la, di, ko, foo, bar
etc. etc. and put in /tmp Now one fine day, the root makes such a typing
mistake which I wanted him to make. And the system will be a
history.........;-)
Strike Rate x% (where 0>x<100)
Hence Proved!!
If a user puts '.' in his $PATH, he may not do anything to the system but
he should be careful that he doesn't have enemies who have a login on that
machine ;-)
Hope it's clear now.
Manas
- --------------------------------------------------------------------
For more information on Linux in India visit http://www.linux-india.org/
------------------------------