Message-Id: <10633.118117@fatcity.com> From: "Marin Dimitrov" Date: Thu, 28 Sep 2000 10:23:38 +0300 Subject: Re: Unix Security for Unix Gurus This is a multi-part message in MIME format. ------=_NextPart_000_0108_01C02936.2AB483E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Suppose I place a program called "ps" or "df" or whatever popular in = /tmp (or somewhere else) that is a trojan horse sending the password = file to a remote host. Then if the root changes directory to /tmp and = tries "ps" or "df" u have a problem because the trojan horse will be = executed instead of the binaries in /bin hth, Marin =20 ------------ "The happier people can be, the unhappier they are..." "Veronika decides to die", Paolo Coelho ----- Original Message -----=20 From: Sanjay Kumar=20 To: Multiple recipients of list ORACLE-L=20 Sent: Thursday, September 28, 2000 04:30 Subject: Unix Security for Unix Gurus Hi, I was going thru the Unix documentation and came across the following. This is about setting PATH. The following is one of the suggestions = for setting efficient PATH. If security is not a concern, put the current working directory (.) = first in the path. However, including the current working directory in the path poses a = security risk that you might want to avoid, especially for superuser. My question is how does setting the current directory pose a security = threat? TIA Sanjay Kumar ------=_NextPart_000_0108_01C02936.2AB483E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 
Suppose I place a program called "ps" or "df" or = whatever=20 popular in /tmp (or somewhere else) that is a trojan horse sending the = password=20 file to a remote host. Then if the root changes directory to /tmp = and tries=20 "ps" or "df" u have a problem because the trojan horse will be executed = instead=20 of the binaries in /bin
 
hth,
 
    Marin     =
 
------------
 
"The happier people can be, the unhappier they are..."
 

          &nbs= p;            = ;      =20 "Veronika decides to die", Paolo Coelho
 

 
----- Original Message -----
From:=20 Sanjay=20 Kumar
To: Multiple recipients of list ORACLE-L =
Sent: Thursday, September 28, = 2000=20 04:30
Subject: Unix Security for Unix = Gurus

Hi,

I was going thru the Unix = documentation=20 and came across the following.

This is about setting PATH. = The=20 following is one of the suggestions for setting efficient = PATH.

If security = is not a=20 concern, put the current working directory (.) first in the=20 path.

However, including the current working = directory in=20 the path poses a security risk

that you might want to avoid, especially for = superuser.

My question is how does setting the current = directory pose a=20 security threat?

TIA

Sanjay=20