X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-2.3 required=5.0	tests=AWL,BAYES_00,MISSING_HEADERS,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD
X-Spam-Check-By: sourceware.org
Date: Mon, 12 Dec 2011 01:13:02 -0600 (CST)
From: Tim McDaniel <tmcd AT panix DOT com>
cc: cygwin AT cygwin DOT com
Subject: Re: Latest cygwin.bat - need one
In-Reply-To: <20111212063131.GE4028@mrvideo.vidiot.com>
Message-ID: <Pine.NEB.4.64.1112120101590.29339@panix1.panix.com>
References: <20111212054801 DOT GD4028 AT mrvideo DOT vidiot DOT com> <20111212063131 DOT GE4028 AT mrvideo DOT vidiot DOT com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Mon, 12 Dec 2011, Mike Brown wrote:
> Doing some more digging I found
> the following posting (via google):
>
>    > Does changing 'bash' to '/bin/bash' make a difference?
>
>    Answering my own question: yes.
>
>    There was a change in execvp()'s behaviour to no longer look up
>    an executable in the current working directory, wasn't there? I
>    can't find it in the ChangeLog though.
>
> You've got to be kidding.  Why was the looking into CWD removed?

PATH specifies the list of directories to search for executables.
So if execvp() ever used "." unconditionally regardless of PATH,
then it violated one of the most long-standing UNIXy rules.

It can also be a massive security hole.  On a multi-user system,
I can put a script named "ls" in /tmp, or other likely directory for
others to cd to, to
- copy /bin/bash to some location
- set the setuid bit and setgid on this copy
- run /bin/ls
   (Bonus points: somehow filter out this nasty ls script if they are
   looking at /tmp.  This is hard.)
Anyone foolish enough to put "." near the start of their PATH and who
did
     cd /tmp
     ls
would thereby get their account hacked, and changing their password
would do no good.  I removed "." from my PATH in the 1980s for just
this reason.  At least if "." is after standard system directories
like /bin /usr/bin, it mitigates the problem to a large extent: it
catches only typos and attempts to run programs that you don't have
installed.  I wonder if there are any common typos to try for.

If execvp() ever looked in "."  unconditionally, there would be no way
to ever completely close this security hole.

-- 
Tim McDaniel, tmcd AT panix DOT com

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple