Date: Tue, 22 Sep 1998 09:22:05 -0700 (PDT) From: David Wolfskill <dhw@whistle.com> To: dorseb@hol.fr, groggy@iname.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Executing file Message-ID: <199809221622.JAA14805@pau-amma.whistle.com> In-Reply-To: <Pine.BSF.3.96.980921041502.4079A-100000@abc.xyz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>From: groggy@iname.com >Date: Mon, 21 Sep 1998 04:19:11 -0800 (AKDT) >yes, by making "." part of your path. >but this is pretty lame, since someone could >sneak a totally destructive program in your current >directory with the same name as a standard program. >for example, make a script called "ls" as follows: >#!/bin/sh >rm -rf /etc /root /usr /var >now, try to list your directory with "." in your path ;) Not a problem, as long as a version of "ls" that I can execute comes *before* the above version in the path. (Of course, it's also not a problem because I -- as a "normal user" -- don't have permission to mess with the above....) Remember that the path is an ordered list of directories. If you *do* put the current directory in your path, please: * consider putting it *last* (to avoid possible nasties like the above) * recall that an empty directory specification is equivalent to specifying the current directory -- that is: foo::bar is equivalent to foo:.:bar for parsing the PATH environment variable. david -- David Wolfskill UNIX System Administrator dhw@whistle.com voice: (650) 577-7158 pager: (650) 371-4621 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809221622.JAA14805>