[ I told myself to stay out of this. ] On Mon, 4 Jan 1999 15:02:54 -0600, "Patrick J. Volkerding" wrote: >3. If you put '.' last in the $PATH, it's a minimal risk, IMHO. If you > use normal care in user-writable directories you're not likely to ever > have a problem. Attacks would depend on specific typos in specific > user-writable directories matching the filename of an attack script. > This would be extremely rare. > > However, if you fall into catagory (1), you can change the default > $PATH easily. It's hardly a hidden setting. # cd /tmp # sl bash: sl: command not found I argue that this is a fairly common occurrence when typing quickly or sloppily. Whether or not I *can* change $PATH has nothing to do with the fact that the $PATH you are providing is *less* secure than it can be. People don't need the ability to run arbitrary programs from their current directory without the "./". They don't, end of story. -- Bryan C. Andregg * <bandreggat_private> * Red Hat Software "I was really tired and could not fall asleep." -- Evaluation Comment for my Tutorial
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:30 PDT