Mail Archives: cygwin/1999/01/11/07:22:51
On Mon, Jan 11, 1999 at 06:41:28PM +1300, Will Mooar wrote:
[...]
> This is normal for unix (and cygwin) - it only searches for applications to
> run from the PATH environment variable. If "." is not in the PATH, it won't
> find configure in the current directory.
>
> I have seen people mention that this is generally a bad idea, as it may pose
> a security threat. Unfortunately, no-one has elaborated why.
[...]
The security issue only really applies to multi-user systems with
filesystem security, such as Unix and Windows NT. On Unix machines,
it is usually considered to be unacceptable to have "." at the front
a user's $path and somewhat of a bad idea to have it at the end of a
user's path.
Here's an example of why having "." in your path can be a Bad Idea (tm).
An evil person has write permissions to a directory that you're likely
to go to. They install an executable called "ls" in that directory.
The next time you visit that directory, you run "ls" which invokes
their "ls" which first sends all of your private email to them (or
does some other sequence of actions as you) and then runs the real
"ls". You don't notice anything is different but your security has
just been compromised.
When "." isn't in your path you mostly only have to worry about
directories in your path being secure. In the above case, "ls" in
that directory would have called the correct "ls" (in your path) and
not the one in ".".
I'd be willing to bet that in most cases, NT systems are not set up
such that administrator is the only one able to change information in
users' paths, so the above will be irrelevant for a lot of people in
real life. Still, I think it's better that people have to add "." to
the end of their paths themselves.
--
Geoffrey Noer
noer AT cygnus DOT com
-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request AT cygnus DOT com" with one line of text: "help".
- Raw text -