Mail Archives: cygwin/1999/01/11/15:43:07

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/1999/01/11/15:43:07

From: willm AT ihug DOT co DOT nz (Will Mooar)

Subject: Re: Problem with /bin mount?

11 Jan 1999 15:43:07 -0800 :

Message-ID: <002001be3d43$cc800e00$20884fd1.cygnus.gnu-win32@monster>

Mime-Version: 1.0

To: "Geoffrey Noer" <noer AT cygnus DOT com>

Cc: <gnu-win32 AT cygnus DOT com>

Thanks Geoffrey for the clear explanation, it now makes plenty of sense.

Kind regards - Will.
_______________________________
Will Mooar
System Analyst
willm AT ihug DOT co DOT nz

----- Original Message -----
From: Geoffrey Noer <noer AT cygnus DOT com>
To: Will Mooar <willm AT ihug DOT co DOT nz>
Cc: <SWarsMatt AT aol DOT com>; <gnu-win32 AT cygnus DOT com>
Sent: Monday, 11 January 1999 22:17
Subject: Re: Problem with /bin mount?


>On Mon, Jan 11, 1999 at 06:41:28PM +1300, Will Mooar wrote:
>[...]
>> This is normal for unix (and cygwin) - it only searches for applications
to
>> run from the PATH environment variable.  If "." is not in the PATH, it
won't
>> find configure in the current directory.
>>
>> I have seen people mention that this is generally a bad idea, as it may
pose
>> a security threat.  Unfortunately, no-one has elaborated why.
>[...]
>
>The security issue only really applies to multi-user systems with
>filesystem security, such as Unix and Windows NT.  On Unix machines,
>it is usually considered to be unacceptable to have "." at the front
>a user's $path and somewhat of a bad idea to have it at the end of a
>user's path.
>
>Here's an example of why having "." in your path can be a Bad Idea (tm).
>An evil person has write permissions to a directory that you're likely
>to go to.  They install an executable called "ls" in that directory.
>The next time you visit that directory, you run "ls" which invokes
>their "ls" which first sends all of your private email to them (or
>does some other sequence of actions as you) and then runs the real
>"ls".  You don't notice anything is different but your security has
>just been compromised.
>
>When "." isn't in your path you mostly only have to worry about
>directories in your path being secure.  In the above case, "ls" in
>that directory would have called the correct "ls" (in your path) and
>not the one in ".".
>
>I'd be willing to bet that in most cases, NT systems are not set up
>such that administrator is the only one able to change information in
>users' paths, so the above will be irrelevant for a lot of people in
>real life.  Still, I think it's better that people have to add "." to
>the end of their paths themselves.
>
>--
>Geoffrey Noer
>noer AT cygnus DOT com
>

-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request AT cygnus DOT com" with one line of text: "help".

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

From:	willm AT ihug DOT co DOT nz (Will Mooar)
Subject:	Re: Problem with /bin mount?
11 Jan 1999 15:43:07 -0800 :
Message-ID:	<002001be3d43$cc800e00$20884fd1.cygnus.gnu-win32@monster>
Mime-Version:	1.0
To:	"Geoffrey Noer" <noer AT cygnus DOT com>
Cc:	<gnu-win32 AT cygnus DOT com>