Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PATH variable in zip-slackware 2.0.35

From: rattle () TLORAH NET (Rattle)
Date: Mon, 4 Jan 1999 02:29:24 -0600

On Sat, 21 Nov 1998, Cacaio Torquato wrote:


Just FYI:

As I have seen in Slackware 3.4 CD-Rom, these two entries are also in the
default PATH.

Maybe this entrie is also included in the default PATH of other versions of
Slackware.


As far as I can remember, "/usr/andrew" and "." have been in the PATH
on every version of Slackware I have ever installed.  Which probably
meants its even in pre 2.0 releases.

While the presence "/usr/andrew" is (in most cases) nothing more than
"clutter", having "." is your path is a very common mistake admins make.
Mainly because people can be to lazy to type ./configure when installing
packages.  As previously mentioned, this can is used by the common script
kiddie to easily make a suid shell or other 4xxx toy for himself.

Many a machine has been cracked by someone inserting a script named "ls"
in the /tmp dir.

Also, there are hooks in various Slackware startup scripts (ie:
/etc/rc.d/rc.inet2) to startup various daemons that are not installed by
default.  The first one that comes to mind is sshd.  While this is not a
security risk (as it only looks to the dirs "/usr/sbin" and
"/usr/local/sbin").  I may be mistaken (Its kinda late here.. heh), but I
can sware that it is not commented out by default.  As I said, not a
blatent security risk, but if you have sshd installed, but don't want it
to run..  You may want to comment that out.  (And if you don't use
ssh/scp, you should..)

...
. Nick Levay
. rattle () tlorah net
. "There are two major products that come out of Berkeley:  LSD and UNIX.
. We do not believe this to be a coincidence."
Previous By Date Next
Previous By Thread Next

Current thread: