Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sourceware DOT cygnus DOT com>
List-Archive: <http://sourceware.cygnus.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sourceware DOT cygnus DOT com>
List-Help: <mailto:cygwin-help AT sourceware DOT cygnus DOT com>, <http://sourceware.cygnus.com/ml/#faqs>
Sender: cygwin-owner AT sourceware DOT cygnus DOT com
Delivered-To: mailing list cygwin AT sourceware DOT cygnus DOT com
Message-ID: <38BAE135.419B57B1@adaptivesilicon.com>
Date: Mon, 28 Feb 2000 12:57:25 -0800
From: Steve Kelem <kelem AT adaptivesilicon DOT com>
Organization: Adaptive Silicon, Inc.
X-Mailer: Mozilla 4.7 [en] (WinNT; U)
X-Accept-Language: en,pdf
MIME-Version: 1.0
To: Cygwin <cygwin AT sourceware DOT cygnus DOT com>
Subject: Security hole in Cygwin FAQ
Content-Type: multipart/mixed;
 boundary="------------0981C2B04CF7CD56666FBB74"

--------------0981C2B04CF7CD56666FBB74
Content-Type: multipart/alternative;
 boundary="------------5A9C6A53B0CCD0B6E3FD05D9"


--------------5A9C6A53B0CCD0B6E3FD05D9
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

The  Cygwin FAQ says:

     Shell scripts aren't running properly from my makefiles?

     You need to have . (dot) in your $PATH. You should NOT need to
     add /bin/sh in front of each and every shell script invoked in
     your Makefiles.

If you need to execute something in the current directory, call for it
explicitly, as ./foobar, not as foobar and count on the current
directory being in your path.

According to Practical Unix Security, by Garfinkel & Spafford (O'Reilly
& Associates), page 152:

     The current directory, as designated by a null directory or
     period, should never be included in the search path.

The reason being that an attacker can put a password-catching program or
other malicious program under a commonly-used name, such as ls, su,
rlogin, login, ftp, etc. By placing the trojan horse in a place where
you might execute it, such as /tmp, or by subterfuge suggested in the
book, if "." is in the path, the unsuspecting user will execute the
trojan horse instead of the intended program.

The authors recommend:

     We strongly recommend that you get in the habit of typing the
     full pathname of commands when you are running as root.  For
     example, instead of just typing chown, type /etc/chown to be
     sure you are getting the system version!  This may seem like
     extra work, but when you are running as root, you also bear
     extra responsibility.  No only will this help protect you
     against changes in your search path, it will also prevent
     surreptitiously-set aliases from working.

Granted, there isn't much security on Windows. However, you shouldn't
reinforce bad practices.

Steve Kelem

--------------5A9C6A53B0CCD0B6E3FD05D9
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
The&nbsp; <a href="http://sourceware.cygnus.com/cygwin/faq/">Cygwin FAQ</a>
says:
<blockquote><b>Shell scripts aren't running properly from my makefiles?</b>
<p>You need to have . (dot) in your $PATH. You should NOT need to add /bin/sh
in front of each and every shell script invoked in your Makefiles.</blockquote>
If you need to execute something in the current directory, call for it
explicitly, as <tt>./foobar</tt>, not as <tt>foobar</tt> and count on the
current directory being in your path.
<p>According to <b>Practical Unix Security</b>, by Garfinkel &amp; Spafford
(O'Reilly &amp; Associates), page 152:
<blockquote>The current directory, as designated by a null directory or
period, should <i>never</i> be included in the search path.</blockquote>
The reason being that an attacker can put a password-catching program or
other malicious program under a commonly-used name, such as <tt>ls</tt>,
<tt>su</tt>, <tt>rlogin</tt>, <tt>login</tt>, <tt>ftp</tt>, etc. By placing
the trojan horse in a place where you might execute it, such as <tt>/tmp</tt>,
or by subterfuge suggested in the book, if "<tt>.</tt>" is in the path,
the unsuspecting user will execute the trojan horse instead of the intended
program.
<p>The authors recommend:
<blockquote>We strongly recommend that you get in the habit of typing the
full pathname of commands when you are running as <b>root</b>.&nbsp; For
example, instead of just typing chown, type /etc/chown to be sure you are
getting the system version!&nbsp; This may seem like extra work, but when
you are running as root, you also bear extra responsibility.&nbsp; No only
will this help protect you against changes in your search path, it will
also prevent surreptitiously-set aliases from working.</blockquote>
Granted, there isn't much security on Windows. However, you shouldn't reinforce
bad practices.
<p>Steve Kelem</html>

--------------5A9C6A53B0CCD0B6E3FD05D9--

--------------0981C2B04CF7CD56666FBB74
Content-Type: text/x-vcard; charset=us-ascii;
 name="kelem.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Steve Kelem
Content-Disposition: attachment;
 filename="kelem.vcf"

begin:vcard 
n:Kelem;Steve
tel;fax:408-399-8905
tel;work:408-335-2718
x-mozilla-html:FALSE
url:http://www.adaptivesilicon.com
org:Adaptive Silicon, Inc.
adr:;;985 University Ave., Suite 31;Los Gatos;CA;95032-7639;U.S.
version:2.1
email;internet:kelem AT adaptivesilicon DOT com
title:Chief Scientist
fn:Steve Kelem
end:vcard


--------------0981C2B04CF7CD56666FBB74
Content-Type: text/plain; charset=us-ascii

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com
--------------0981C2B04CF7CD56666FBB74--