From owner-freebsd-questions  Tue Sep 22 09:23:43 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA02833
          for freebsd-questions-outgoing; Tue, 22 Sep 1998 09:23:43 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from pau-amma.whistle.com (s205m64.whistle.com [207.76.205.64])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA02807
          for <freebsd-questions@FreeBSD.ORG>; Tue, 22 Sep 1998 09:23:32 -0700 (PDT)
          (envelope-from dhw@whistle.com)
Received: (from dhw@localhost)
	by pau-amma.whistle.com (8.8.8/8.8.7) id JAA14805;
	Tue, 22 Sep 1998 09:22:05 -0700 (PDT)
	(envelope-from dhw)
Date: Tue, 22 Sep 1998 09:22:05 -0700 (PDT)
From: David Wolfskill <dhw@whistle.com>
Message-Id: <199809221622.JAA14805@pau-amma.whistle.com>
To: dorseb@hol.fr, groggy@iname.com
Subject: Re: Executing file
Cc: freebsd-questions@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.96.980921041502.4079A-100000@abc.xyz.net>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

>From: groggy@iname.com
>Date: Mon, 21 Sep 1998 04:19:11 -0800 (AKDT)

>yes, by making "." part of your path.
>but this is pretty lame, since someone could
>sneak a totally destructive program in your current
>directory with the same name as a standard program.

>for example, make a script called "ls" as follows:

>#!/bin/sh
>rm -rf /etc /root /usr /var

>now, try to list your directory with "." in your path ;)

Not a problem, as long as a version of "ls" that I can execute comes
*before* the above version in the path.  (Of course, it's also not a
problem because I -- as a "normal user" -- don't have permission to mess
with the above....)

Remember that the path is an ordered list of directories.

If you *do* put the current directory in your path, please:

* consider putting it *last* (to avoid possible nasties like the above)

* recall that an empty directory specification is equivalent to
  specifying the current directory -- that is:

  foo::bar

  is equivalent to

  foo:.:bar

  for parsing the PATH environment variable.

david
-- 
David Wolfskill		UNIX System Administrator
dhw@whistle.com		voice: (650) 577-7158	pager: (650) 371-4621

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message