Eric Blake <[EMAIL PROTECTED]> wrote:
> According to Jim Meyering on 4/22/2008 5:13 PM:
> |>> If security isn't enough of an argument, you can consider this yet another
> |>> reason not to put "." early in your PATH.  Please consider removing
> |>> "." from your PATH altogether.
>
> | Besides, I recognize that no system is immune from risk.
> | I.e., a bug in my browser may allow malicious code to create
> | that /tmp/ls file you mentioned.
>
> I personally like having . in my PATH on systems I manage, but only at the
> end and never first, so I can guarantee that any important program (like
> /bin/ls) cannot be inadvertently replaced by a malicious /tmp/ls.

With "." anywhere in your PATH, you're still subject to the risk of the
classic typo-trojan.  I.e., if someone/something creates /tmp/sl and
you type e.g., "sl" instead of "ls" while in /tmp.


_______________________________________________
Bug-coreutils mailing list
Bug-coreutils@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-coreutils

Reply via email to