Re: Adding . and /usr/local/bin to PATH raises security issue??

From: Nick Landsberg (hukolau_at_att.net)
Date: 02/19/04

• Next message: Lars Andersson: "Linux developers."
• Previous message: Thomas: "Re: Status of GIF and LZW?"
• In reply to: Forte Agent: "Adding . and /usr/local/bin to PATH raises security issue??"
• Next in thread: Doug O'Leary: "Re: Adding . and /usr/local/bin to PATH raises security issue??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Thu, 19 Feb 2004 21:20:35 GMT

Forte Agent wrote:

> I heard adding "." and "/usr/local/bin" to PATH raises security issue.
> Is that true? Why? Thank you in advance.
>
>

"." is dangerous because if you cd to a random directory,
for example, and type "ls", someone could have put
a script in there which does "rm -rf $HOME" called
it "ls" and marked it executable. If the "." is in
$PATH before /bin, then this local script will
be executed.

As far as "/usr/local/bin" is concerned, it depends
on who is allowed to write into that directory.
If it's wide open, the same thing can happen.

Whether this is truly a "security issue" is a
matter of definition. It definitely is anti-social
behavior. :)

P.S. - this reminds me of a story about a true
neophyte who was given the task of adding and deleting
users from a system. Sounds like a clerical job,
right? (This was in the old days, when
you manually had to add/delete entries from /etc/passwd,
make the appropriate home directory, etc.)
Editing the passwd file requires root permissions
so this person HAD to know the root password.
He/she got tired of the manual steps and soon wrote
shell scripts to do most of the grunt work.
The one for adding a user he called "au" and the
one for deleting a user he called "du".

I will leave it to your imagination as to what
happened when the real administrator was in the
wrong directory and typed "du /usr" while logged
in as root. (Yes, "." was in the path... first!)

>
>
>

-- 
Ñ
"It is impossible to make anything foolproof because fools are so 
ingenious" - A. Bloch

---

• Next message: Lars Andersson: "Linux developers."
• Previous message: Thomas: "Re: Status of GIF and LZW?"
• In reply to: Forte Agent: "Adding . and /usr/local/bin to PATH raises security issue??"
• Next in thread: Doug O'Leary: "Re: Adding . and /usr/local/bin to PATH raises security issue??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: Users cannot use multimedia ... Have you tried deleting these programs from your home directory? ... To delete root files open your file ... Monty Python's "Life Of Brian" ... (comp.os.linux.misc) Re: prevent user to delete files in its own directory ... >> directory with permission to root only and prevent the users from ... I'm not sure what you are recommending. ... He wants to prevent the user from deleting the file ... /any/ file in his home directory. ... (comp.unix.misc) Re: Installing Firefox browser ... into your home directory or somesuch, you then need to run the ... install.sh script that should be sitting in the root of the unpacked ... folder (as root). ... (Fedora) File permissions in home directory ... I've got a file in my home directory: ... only root could edit that file. ... different script located elsewhere beneath /home/fred/, ... (comp.os.linux.security) Re: snmp - run script ... Andrei Ivanov wrote: ... Root's home directory /root/ can be accessed by root ... You should better put that script in ... (comp.os.linux.networking)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)