http://bugzilla.novell.com/show_bug.cgi?id=608071 http://bugzilla.novell.com/show_bug.cgi?id=608071#c6 --- Comment #6 from Dr. Werner Fink <werner@novell.com> 2010-05-26 09:22:06 UTC --- (In reply to comment #5) Not only ghostscript but also using the `.' in the personal PATH is a simple problem. Suppose that the user does a cd /tmp ls and now suppose an other user had done echo -e '#!/bin/sh\ncd\nrm -rf .' > /tmp/ls chmod 755 /tmp/ls .. do you see the problem of having `.' at first place within the execution path? Please note, that e.g. /tmp, /tmp/.X11-unix, /tmp/.ICE-unix, /var/tmp, /var/crash, /var/tmp/vi.recover, /var/tmp/vi.recover, /var/spool/mail, /var/cache/fonts, and the sub TeX sub directories do show this kind of problem. This because for creating such killer traps within the home directory of the user the attacker has to become the users owner ship. You may compare this with /etc/permissions ... to harden your system you may set PERMISSION_SECURITY in /etc/sysconfig/security to "secure paranoid local" and run SuSEconfig --module permissions but be aware that you're system could be lost some usability. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.