On Thu, 24 Jan 2002, Thomas Sourmail wrote: > > run, this is for security purposes because you should > > not put . in your path or else someone could bust > > into your unix system. > > How ? > If the current directory is in the PATH variable before the standard paths, someone could place a trojaned version of a program into a world writable directory. Whenever someone ran (or think they ran) a system utility from that directory, they would instead be running the fake.
E.g. echo $PATH You should see something like /usr/bin:/bin:/usr/local/bin Set root's PATH to include the current directory first: PATH=.:$PATH cd to /tmp as a normal use create a script that does something, say touch a file in a priveleged directory and call the script ls: #!/bin/bash touch /path/to/priveleged/directory/delete_me ls $* Now, if root cds to /tmp and does an 'ls', the script will run instead.
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
