/etc/profile security question
Fellow S.u.S.E. users: I remember reading somewhere that it was poor or not a good practice to have the current directory '.' in the $PATH environment variable. In /etc/profile, it has the following statement that adds it in: test "$UID" = 0 || PATH="$PATH:." *unless you're 'root' Is this wise or should I keep it there so as not to disturb the surrounding code? Mark
Mark B Withers wrote:
Fellow S.u.S.E. users:
I remember reading somewhere that it was poor or not a good practice to have the current directory '.' in the $PATH environment variable.
It's very bad if you're root. OTOH normal users have less to worry about. Just make sure . is at the end of the path. Nick -- -------------------------------------------------- Nick Zentena "Microsoft has unjustifiably jeopardized the stability and security of the operating system." U.S. District Judge Thomas Penfield Jackson Nov 5/1999 --------------------------------------------------
Ok. Thanks for the info! Mark On Fri, 4 Feb 2000, Nick Zentena wrote: | Mark B Withers wrote: | > | > Fellow S.u.S.E. users: | > | > I remember reading somewhere that it was poor or not a good practice | > to have the current directory '.' in the $PATH environment variable. | > | | It's very bad if you're root. OTOH normal users have less to worry | about. Just make sure . is at the end of the path. | | Nick | | -- | -------------------------------------------------- | Nick Zentena | "Microsoft has unjustifiably jeopardized the stability and security of | the | operating system." | U.S. District Judge Thomas Penfield Jackson Nov 5/1999 | -------------------------------------------------- |
On Fri, Feb 04, 2000 at 11:07:13AM -0500, Mark B Withers wrote:
Ok. Thanks for the info!
Mark
In case you want to know *why* it's so bad, take this example some malicious normal user makes a program in /tmp that erases every directory it can find, and calls it 'ls'. The system administrator logs in, and eventually will type 'ls' in /tmp. Since . is first in his path, he will not execute his normal ls, but instead the ls from the malicious user. Since he's root, the program will erase everything. If . is at the end of his path, Mark Alicious can still guess typing errors etc. to make root inadvertently execute a program. Jurriaan -- As of next week, passwords will be entered in Morse code. Linux 2.2.14 SMP up 1:46 5 users load av: 1.43 2.18 1.54
| > I remember reading somewhere that it was poor or not a good practice | > to have the current directory '.' in the $PATH environment variable. | | It's very bad if you're root. OTOH normal users have less to worry | about. Just make sure . is at the end of the path.
It's equally bad if you are an ordinary user. Having '.' in your path makes you vulnerable. If you are root the whole system is on the stake, if you are an ordinary user, you might 'only' lose your data... Andre' -- André Pönitz ......................... poenitz@mathematik.tu-chemnitz.de
participants (4)
-
Andre Poenitz -
Mark B Withers -
Nick Zentena -
thunder7@xs4all.nl