Date: Wed, 24 Jul 1996 12:14:39 -0400 (EDT) From: hoek@freenet.hamilton.on.ca To: paradox@pegasus.rutgers.edu Cc: freebsd-questions@freebsd.org Subject: Re: ["Ian Kallen" <ian@gamespot.com>: Re: Install Q& A] Message-ID: <199607241614.MAA02438@james.freenet.hamilton.on.ca>
next in thread | raw e-mail | index | archive | help
In Email, Red Barchetta <paradox@pegasus.rutgers.edu> wrote: > >Is . in your path? A lot of folks consider it bad sysadmin practive > >to have it so and to precede all commands outside their path with full > >paths or relative paths (i.e. from /stand run it as ./sysinstall). > > Why is this considered bad practice? I'm sure someone else will mention the security problems involved, but... You'll find, if you're new to UNIX, that it's just not like DOS in that 99% of the time when you are running a command it is not in the current directory. In DOS, one might do something like cd \spread\lotus lotus But in UNIX the executable programs are typically all kept in their own directory with nothing but executables (ex. /bin, /usr/bin, /sbin, /usr/sbin, /usr/local/bin -- the bin in each of these probably stands for "binaries"). If lotus were a UNIX program, you would probably find lotus.exe in /usr/local/bin and the rest of the files used by lotus elsewhere. It's just not necessary to have `.' in your path most of the time. To prove that this can be a security concern, let me relate something that happened to someone using DOS. They were given a zip file and asked to have a look at it (for a good and sensable reason). They moved the zip into a directory and pkunzipped it. Inside of the zip were more zip files. The person then unzipped these files. Suddenly he was infected with a virus. What happened is that inside the first zipfile was a false copy of pkunzip which deactivated all the virus checkers, then called the real pkunzip, and then ran a virus that was contained inside one of the secondary zips. Had DOS not run the pkunzip that was in the current directory, the real pkunzip would have been run, the virus checkers not disabled, and the virus caught. As it was, he lost several months of work due to the virusses. (which brings us to rule #2: backup, but that's another story :). -- -- tIM...HOEk Outnumbered? Maybe. Outspoken? NEVER!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607241614.MAA02438>