Daniel Martin at cush <[EMAIL PROTECTED]> writes:
> I should point out that it is considered a bad security idea to put
> "." (or in fact any directory name that doesn't begin with "/") in
> root's PATH. If you're just wanting to do something one time, it
> might be ok to do 'PATH=$PATH:.' as above but I wouldn't put that into
> root's initialization files, or into the system-wide path. (I should
> qualify this with the statement that I don't completely understand why
> this is a security hole when it's done as the last component of the
> PATH, but...)
Quite simple, think of a command named sl put in some users home
directory and root which tries to type ls but accidently typed sl. If
cwd is that directory the program sl is executed with root priviledge
:-(.
Torsten
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
