[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
Re: To Atul and Thaths
- Subject: Re: To Atul and Thaths
- From: "Soumyanath Chatterjee" <soumya_chatt@xxxxxxxxxxx>
- Date: Fri, 2 Jul 1999 10:32:45 +0530
Can we have the private discussions through private channels, please.
With due regards
- - Soumya
- ----- Original Message -----
From: BGanesh <BGa@xxxxxxxxxxxxx>
To: <linux-india@xxxxxxxxx>
Sent: Thursday, July 01, 1999 2:50 PM
Subject: To Atul and Thaths
> Hi,
> in response to a question abt executing C programs under Linux, with
> reference to putting the current directory in the path, Atul remarked :
>
> > On a Unix system, that is akin to suicide. You may believe it makes
> > life easier, but in reality you are defeating the safety mechanism.
>
> In the same thread, in response to a query, Thaths clarified :
>
> > What if J. Malicious Cracker broke into your system and placed a
> > program called 'ls' in some directory? If '.' precedes other
> > directories in your $PATH you would be running Malicious's ls instead
> > of the system ls when you run ls in the directory where J.M.C's ls is
> > located. And J.M.C's ls could be doing unspeakable things to your
> > machine.
>
> > This problem is compounded a few times if root is the user with '.' in
> > their $PATH. Seasoned system admins have learnt to type the full path
> > of the various commands.
>
> And I did read elsewhere that this is a security breach. But I wasn't
> able to find out much more. So here are the questions :
>
> Thaths assumes (and states so) that this is an issue if the '.' precedes
> the other paths. If '.' is the last in entry in for the $PATH then is it
> considered fixed?
>
> Also, if J.M.C was smart enough (or my system insecure enough) to get
> into my directory and put 'ls' or whatever in my directory, the system
> (or atleast the parts I / J.M.C have access to) is as good as bombed
> anyways, so what is your point?
>
> Again as root, if '.' is the last entry, then the correct version from
> bin would kick in, would it not. Alt, if it is a new and untried program
> that is sitting in the directory the I have no business to run it as
> root anyways, regardless of whether I execute it as ./proggy or
> /usr/home/username/proggy (or whatver the path is). If these are
> considered then how does the '.' provide a gateway to disaster... ?
>
> Thx
> BGa
>
> --------------------------------------------------------------------
> For more information on Linux in India visit http://www.linux-india.org/
>
- --------------------------------------------------------------------
For more information on Linux in India visit http://www.linux-india.org/
------------------------------