[ I told myself to stay out of this. ]
On Mon, 4 Jan 1999 15:02:54 -0600, "Patrick J. Volkerding" wrote:
>3. If you put '.' last in the $PATH, it's a minimal risk, IMHO. If you
> use normal care in user-writable directories you're not likely to ever
> have a problem. Attacks would depend on specific typos in specific
> user-writable directories matching the filename of an attack script.
> This would be extremely rare.
>
> However, if you fall into catagory (1), you can change the default
> $PATH easily. It's hardly a hidden setting.
# cd /tmp
# sl
bash: sl: command not found
I argue that this is a fairly common occurrence when typing quickly or
sloppily. Whether or not I *can* change $PATH has nothing to do with the fact
that the $PATH you are providing is *less* secure than it can be.
People don't need the ability to run arbitrary programs from their current
directory without the "./". They don't, end of story.
--
Bryan C. Andregg * <bandreggat_private> * Red Hat Software
"I was really tired and could not fall asleep."
-- Evaluation Comment for my Tutorial
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:30 PDT