Date: Tue, 25 Jun 1996 00:28:34 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: Mark Murray <mark@grumble.grondar.za> Cc: hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley <chad@mercury.gaianet.net>, jbhunt <jbhunt@mercury.gaianet.net> Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960625002724.21697g-100000@mercury.gaianet.net> In-Reply-To: <199606250712.JAA08662@grumble.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jun 1996, Mark Murray wrote: > -Vince- wrote: > > > > Hmmm, doesn't everyone have . as their path since all . does is allow > > > > someone to run stuff from the current directory... > > > > > > Not root! this leaves you wide open for trojans. As root you should > > > have to type ./foo to run foo in the current directory. > > > > Hmmm, really? It seems like almost all systems root has . for the > > path but if the directory for root is like read, write, execute by root > > only, how will they get into it? > > Example: user suspects you may be a DOS user, and are likely to try > to type the "dir" or "cls" command every now and then (by mistake). > > In his home directory he places a script called "dir" that creates a > suid shell (silently) then prints the usual "command not found" error. > > He then phones you, asking for support, and tries to trick you into > running his script. Having "." in your path makes his trickery easier. Hmmm, that's only if we had phone support.... We don't :) but do admins really go run a program that the user said won't run? Vince
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960625002724.21697g-100000>