edhall@Rand-Unix.ARPA (04/11/84)
From: Ed_Hall <edhall@Rand-Unix.ARPA> The order that library directories are searched under 4.1 UNIX is: /usr/lib/ /lib/ /usr/local/lib/ If a given library is found in a given directory, subsequent directories will *not* be searched for that library. Thus there is no way for a publicly-provided library to overcome system security unless a system library required from /usr/lib/ or /lib/ is missing. I must strongly advise against making /usr/local/ itself writable, as this is in many people's path list for executables and thus provides a perfect place for spoof command security attacks. But /usr/local/lib/ should be OK as long as no one has it in their search paths and no program incorporating a library there is made publically available without checking both the program and the library for Trojan Horses. -Ed Hall, Rand Corp. edhall@rand-unix.ARPA decvax!randvax!edhall.UUCP