Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT sourceware DOT cygnus DOT com Delivered-To: mailing list cygwin AT sourceware DOT cygnus DOT com Message-ID: <38BAE135.419B57B1@adaptivesilicon.com> Date: Mon, 28 Feb 2000 12:57:25 -0800 From: Steve Kelem Organization: Adaptive Silicon, Inc. X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Cygwin Subject: Security hole in Cygwin FAQ Content-Type: multipart/mixed; boundary="------------0981C2B04CF7CD56666FBB74" --------------0981C2B04CF7CD56666FBB74 Content-Type: multipart/alternative; boundary="------------5A9C6A53B0CCD0B6E3FD05D9" --------------5A9C6A53B0CCD0B6E3FD05D9 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit The Cygwin FAQ says: Shell scripts aren't running properly from my makefiles? You need to have . (dot) in your $PATH. You should NOT need to add /bin/sh in front of each and every shell script invoked in your Makefiles. If you need to execute something in the current directory, call for it explicitly, as ./foobar, not as foobar and count on the current directory being in your path. According to Practical Unix Security, by Garfinkel & Spafford (O'Reilly & Associates), page 152: The current directory, as designated by a null directory or period, should never be included in the search path. The reason being that an attacker can put a password-catching program or other malicious program under a commonly-used name, such as ls, su, rlogin, login, ftp, etc. By placing the trojan horse in a place where you might execute it, such as /tmp, or by subterfuge suggested in the book, if "." is in the path, the unsuspecting user will execute the trojan horse instead of the intended program. The authors recommend: We strongly recommend that you get in the habit of typing the full pathname of commands when you are running as root. For example, instead of just typing chown, type /etc/chown to be sure you are getting the system version! This may seem like extra work, but when you are running as root, you also bear extra responsibility. No only will this help protect you against changes in your search path, it will also prevent surreptitiously-set aliases from working. Granted, there isn't much security on Windows. However, you shouldn't reinforce bad practices. Steve Kelem --------------5A9C6A53B0CCD0B6E3FD05D9 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit The  Cygwin FAQ says:
Shell scripts aren't running properly from my makefiles?

You need to have . (dot) in your $PATH. You should NOT need to add /bin/sh in front of each and every shell script invoked in your Makefiles.

If you need to execute something in the current directory, call for it explicitly, as ./foobar, not as foobar and count on the current directory being in your path.

According to Practical Unix Security, by Garfinkel & Spafford (O'Reilly & Associates), page 152:

The current directory, as designated by a null directory or period, should never be included in the search path.
The reason being that an attacker can put a password-catching program or other malicious program under a commonly-used name, such as ls, su, rlogin, login, ftp, etc. By placing the trojan horse in a place where you might execute it, such as /tmp, or by subterfuge suggested in the book, if "." is in the path, the unsuspecting user will execute the trojan horse instead of the intended program.

The authors recommend:

We strongly recommend that you get in the habit of typing the full pathname of commands when you are running as root.  For example, instead of just typing chown, type /etc/chown to be sure you are getting the system version!  This may seem like extra work, but when you are running as root, you also bear extra responsibility.  No only will this help protect you against changes in your search path, it will also prevent surreptitiously-set aliases from working.
Granted, there isn't much security on Windows. However, you shouldn't reinforce bad practices.

Steve Kelem --------------5A9C6A53B0CCD0B6E3FD05D9-- --------------0981C2B04CF7CD56666FBB74 Content-Type: text/x-vcard; charset=us-ascii; name="kelem.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Steve Kelem Content-Disposition: attachment; filename="kelem.vcf" begin:vcard n:Kelem;Steve tel;fax:408-399-8905 tel;work:408-335-2718 x-mozilla-html:FALSE url:http://www.adaptivesilicon.com org:Adaptive Silicon, Inc. adr:;;985 University Ave., Suite 31;Los Gatos;CA;95032-7639;U.S. version:2.1 email;internet:kelem AT adaptivesilicon DOT com title:Chief Scientist fn:Steve Kelem end:vcard --------------0981C2B04CF7CD56666FBB74 Content-Type: text/plain; charset=us-ascii -- Want to unsubscribe from this list? Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com --------------0981C2B04CF7CD56666FBB74--