Date: Tue, 25 Jun 1996 00:32:34 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: David Greenman <davidg@root.com> Cc: Gary Palmer <gpalmer@FreeBSD.ORG>, Mark Murray <mark@grumble.grondar.za>, hackers@FreeBSD.ORG, security@FreeBSD.ORG, Chad Shackley <chad@mercury.gaianet.net>, jbhunt <jbhunt@mercury.gaianet.net> Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960625003131.21697h-100000@mercury.gaianet.net> In-Reply-To: <199606250714.AAA03862@root.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jun 1996, David Greenman wrote: > >-Vince- wrote in message ID > ><Pine.BSF.3.91.960624232727.21697c-100000@mercury.gaianet.net>: > >> Hmmm, doesn't everyone have . as their path since all . does is allow > >> someone to run stuff from the current directory... > > > >No, everyone does NOT have `.' in their paths! I most certainly don't, > >as I know that it's ALL to easy to have someone break your system > >security that way. Imagine if you are looking into something as root, > >and have `.' in your path. You go into someone elses directory, and do > >a `ls'. All they need is a wrapper program called `ls' in that dir > >which copies /bin/sh to some directory, chowns it to root, then sets > >the setuid bit, and THEN exec's ls with the arguments given, an BANG, > >there goes your system security. > > Actually, this particular problem can be avoided by putting "." last in > the search path rather than first. Hmmm, that's what I've noticed is everyone having "." last on the path and not first. My .cshrc's path is actually from ref.tfs.com when it was the 386bsd days... Vince
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960625003131.21697h-100000>