drector@orion.oac.uci.edu (David Rector) (12/21/90)
I am compiling Tom Roell's X-server and have found an instance of a serious UNIX security problem that is too little known to the UNIX user community. In mit/config/at386.cf, the definitions #define DefaultUserPath .:/bin:/usr/bin:/sur/bin/X11:/usr/local/bin #define DefaultSystemPath .:/bin:/usr/bin:/sur/bin/X11:/usr/local/bin:/etc appear. The '.' (current directory) should be deleted from these lines. WARNING: NEVER put '.' (current directory) first in your path. Better yet, don't put '.' in your path at all. It leaves you vulnerable to a classic trojan horse: a fake 'ls', or other UNIX command, in someones directory. System administrators, consultants, course instructors, and so forth, are particularly vulnerable to this ploy. (A computer science teaching assistant at my campus got zapped with this recently.) The insidious nature of this security hole is that only the individual user can protect him/her-self from attack. Naturally, in keeping with the documentation standards of the UNIX community, mention of this problem does not appear anywhere that ordinary users--or even ordinary system administators--are likely to encounter it. ---------- To Tom Roell: thank you for the service you have performed for the i386 user community in creating your PD X-server. As for the fuss over legality, in the US we have a fake Latin saying: "Illigitimi non carborundum est" which we translate "Don't let the bastards grind you down!" -- David L. Rector drector@orion.oac.uci.edu Dept. of Math. U. C. Irvine, Irvine CA 92717