On Sun, Feb 23, 2003, Shlomi Fish wrote about "Re: Problem with Pth or make or what?": > > > Another related issue. I hope nobody don't use '.' in your path > > > as root -- this is suicidal in terms of security. > > Only on systems which (might) have malicious users. Not relevant for > > home computers. > It is not entirely unlikely that home computers will be penetrated or > compromised while being connected to the Internet. It is still a bad idea > there.
One quite unlikely scenario in which you can indeed benefit from not having '.' in your path: someone broke into an account which doesn't belong to a real user (say, httpd) and is unable to upgrade to superuser, so he puts an "ls" in some directory he can write (e.g., /tmp) and hopes the superuser will accidentally run it. Or perhaps a normal user runs it, and then the trojan can modify his setup (add an 'su' alias or program, etc.) to steal the superuser password. Some people might consider this risk serious enough to change the path. I don't, usually. There are plenty of other, more serious, risks. -- Nadav Har'El | Sunday, Feb 23 2003, 21 Adar I 5763 [EMAIL PROTECTED] |----------------------------------------- Phone: +972-53-245868, ICQ 13349191 |The person who knows how to laugh at http://nadav.harel.org.il |himself will never cease to be amused. ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
