Bugtraq mailing list archives
Re: PATH variable in zip-slackware 2.0.35
From: bandregg () REDHAT COM (bandregg () REDHAT COM)
Date: Tue, 5 Jan 1999 09:49:00 -0500
[ I told myself to stay out of this. ] On Mon, 4 Jan 1999 15:02:54 -0600, "Patrick J. Volkerding" wrote:
3. If you put '.' last in the $PATH, it's a minimal risk, IMHO. If you use normal care in user-writable directories you're not likely to ever have a problem. Attacks would depend on specific typos in specific user-writable directories matching the filename of an attack script. This would be extremely rare. However, if you fall into catagory (1), you can change the default $PATH easily. It's hardly a hidden setting.
# cd /tmp # sl bash: sl: command not found I argue that this is a fairly common occurrence when typing quickly or sloppily. Whether or not I *can* change $PATH has nothing to do with the fact that the $PATH you are providing is *less* secure than it can be. People don't need the ability to run arbitrary programs from their current directory without the "./". They don't, end of story. -- Bryan C. Andregg * <bandregg () redhat com> * Red Hat Software "I was really tired and could not fall asleep." -- Evaluation Comment for my Tutorial
Current thread:
- Re: Comparison of THC-SCAN v2.0 with Sandstorm PhoneSweep 1.02 Adam Maloney (Dec 31)
- ACC's 'Tigris' Access Terminal server security vunerability.. Robert Thomas (Jan 02)
- Re: ACC's 'Tigris' Access Terminal server security vunerability.. Patrik Backstrom (Jan 03)
- Re: Comparison of THC-SCAN v2.0 with Sandstorm PhoneSweep 1.02 Oliver Xymoron (Jan 02)
- PATH variable in zip-slackware 2.0.35 Steven Alexander (Jan 02)
- Re: PATH variable in zip-slackware 2.0.35 Cacaio Torquato (Nov 20)
- Re: PATH variable in zip-slackware 2.0.35 Rattle (Jan 04)
- Re: PATH variable in zip-slackware 2.0.35 Patrick J. Volkerding (Jan 04)
- Re: PATH variable in zip-slackware 2.0.35 bandregg () REDHAT COM (Jan 05)
- Re: PATH variable in zip-slackware 2.0.35 Cacaio Torquato (Nov 20)
- Re: PATH variable in zip-slackware 2.0.35 Karl Stevens (Jan 04)
- Re: PATH variable in zip-slackware 2.0.35 kay (Jan 02)
- Re: PATH variable in zip-slackware 2.0.35 Karl Stevens (Jan 05)
- Re: PATH variable in zip-slackware 2.0.35 kay (Jan 06)
- ACC's 'Tigris' Access Terminal server security vunerability.. Robert Thomas (Jan 02)
- l0phtcrack 2.5 released The Forlorn (Jan 04)
- Re: SUN almost has a clue! (automountd) Casper Dik (Jan 05)