Evan Van Dyke wrote:
> Peter S Galbraith wrote:
>> If some user is capable of putting a fake `ls' in a random directory where
>> you might trip on it, that user is far more likely to put it in your ~/bin
>> directory! (Same privileges are required)
>>
>> Just a thought.
>
> Just make the . directory the _last_ part of your path, that way it will
> search /bin /usr/bin /usr/local/bin and
> all the rest of your path first.
This discussion crops up on this list once a week or so. The bottom line
is that users (root especially) should not have a "." anywhere in their
path. Lets assume that root has a "." as the last element of his path.
He then goes to the home directory of a malignant user, intending to do an
"ls" on his dir. Even root is not perfect, so he makes a typo and
actually types "sl" instead. The malignant user has a script called "sl"
in his home dir:
#!/bin/sh
# Do bad stuff as root...
rm -f sl
echo "bash: sl: command not found" >&2
And root never knew what hit him...
--
/'"`\ zzzZ | My PGP Public Key is available at:
( - - ) | <http://home1.inet.tele.dk/renehl/>
--oooO--(_)--Oooo------------------------------------------
Don't ya just hate it when there's not enough room to fin
