From: willm AT ihug DOT co DOT nz (Will Mooar) Subject: Re: Problem with /bin mount? 11 Jan 1999 15:43:07 -0800 Message-ID: <002001be3d43$cc800e00$20884fd1.cygnus.gnu-win32@monster> Mime-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit To: "Geoffrey Noer" Cc: Thanks Geoffrey for the clear explanation, it now makes plenty of sense. Kind regards - Will. _______________________________ Will Mooar System Analyst willm AT ihug DOT co DOT nz ----- Original Message ----- From: Geoffrey Noer To: Will Mooar Cc: ; Sent: Monday, 11 January 1999 22:17 Subject: Re: Problem with /bin mount? >On Mon, Jan 11, 1999 at 06:41:28PM +1300, Will Mooar wrote: >[...] >> This is normal for unix (and cygwin) - it only searches for applications to >> run from the PATH environment variable. If "." is not in the PATH, it won't >> find configure in the current directory. >> >> I have seen people mention that this is generally a bad idea, as it may pose >> a security threat. Unfortunately, no-one has elaborated why. >[...] > >The security issue only really applies to multi-user systems with >filesystem security, such as Unix and Windows NT. On Unix machines, >it is usually considered to be unacceptable to have "." at the front >a user's $path and somewhat of a bad idea to have it at the end of a >user's path. > >Here's an example of why having "." in your path can be a Bad Idea (tm). >An evil person has write permissions to a directory that you're likely >to go to. They install an executable called "ls" in that directory. >The next time you visit that directory, you run "ls" which invokes >their "ls" which first sends all of your private email to them (or >does some other sequence of actions as you) and then runs the real >"ls". You don't notice anything is different but your security has >just been compromised. > >When "." isn't in your path you mostly only have to worry about >directories in your path being secure. In the above case, "ls" in >that directory would have called the correct "ls" (in your path) and >not the one in ".". > >I'd be willing to bet that in most cases, NT systems are not set up >such that administrator is the only one able to change information in >users' paths, so the above will be irrelevant for a lot of people in >real life. Still, I think it's better that people have to add "." to >the end of their paths themselves. > >-- >Geoffrey Noer >noer AT cygnus DOT com > - For help on using this list (especially unsubscribing), send a message to "gnu-win32-request AT cygnus DOT com" with one line of text: "help".