Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PATH variable in zip-slackware 2.0.35

From: kay () PHREEDOM ORG (kay)
Date: Sat, 2 Jan 1999 21:29:12 +0200

On Sat, 2 Jan 1999, Steven Alexander wrote:


I recently downloaded the zip disk version of slackware 2.0.35 and I noticed
two entries that I didn't like in the default PATH:     :/usr/andrew/bin
and :.
The directory /usr/andrew doesn't exist and shouldn't be included in the
default path.  Also '.' should never be included in root's default path as
it gives the possibility that a user might place a trojan into a his/her
home directory or another user writeable  directory.  i.e.: placing a shell
script 'more' in their home directory that creates a SUID copy of bash
before executing 'more' .  Anyway, placing '.' in your path is a bad idea.


I will assume you are talking about the Slackware 3.6 distribution...

The directory /usr/andrew/bin should contain the Andrew User Interface
System packages. Those are from the Slackware contributed packages,
slackware-3.6/contrib/auis63L4-*.tgz. Note that they are neither
maintained or supported by Pat Volkerding but by their respective authors.

It is not only zip-slack that contains those in the default PATH variable,
this is found in

/etc/profile:
PATH="$PATH:/usr/X11R6/bin:/usr/andrew/bin:$OPENWINHOME/bin:/usr/games:."

/etc/csh.login:
set path = ( $path /usr/X11R6/bin /usr/andrew/bin $OPENWINHOME/bin/usr/games . )


Also the dot has been included in the path for all versions in
the Slackware distribution I've worked with - 3.[456]. Probably it's the
same with some older ones. The obvious workaround is just to remove those
entries in system-wide scripts.


cheers,
Steve
Previous By Date Next
Previous By Thread Next

Current thread: