Re: Unix Security for Unix Gurus

From: Allan Nelson <anelson_at_houston.rr.com>
Date: Thu, 28 Sep 2000 08:19:47 -0500
Message-Id: <10633.118143@fatcity.com>

This is a multi-part message in MIME format.

------=_NextPart_000_046B_01C02924.DD4015E0 Content-Type: text/plain;

        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Because a malicious person could put a program named ls for instance, in = your current directory. If you then executed ls you would pick up the = trojan and excute that instead of your expected command.

Allan

• Original Message -----=20 From: Sanjay Kumar=20 To: Multiple recipients of list ORACLE-L=20 Sent: Wednesday, September 27, 2000 8:30 PM Subject: Unix Security for Unix Gurus

  Hi,

  I was going thru the Unix documentation and came across the following.

  This is about setting PATH. The following is one of the suggestions = for setting efficient PATH.

  If security is not a concern, put the current working directory (.) = first in the path.

  However, including the current working directory in the path poses a = security risk

  that you might want to avoid, especially for superuser.

  My question is how does setting the current directory pose a security = threat?

  TIA   Sanjay Kumar

------=_NextPart_000_046B_01C02924.DD4015E0 Content-Type: text/html;

        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =

charset=3Diso-8859-1">

<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Because a malicious person could put a =

program=20
named ls for instance, in your current directory.&nbsp; If you then = executed ls=20
you would pick up the trojan and excute that instead of your expected=20 command.</FONT></DIV>

<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Allan</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20

style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20

  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: = black"><B>From:</B>=20
<A title=3Dora_user_at_hotmail.com =

href=3D"mailto:ora_user_at_hotmail.com">Sanjay=20   Kumar</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3DORACLE-L_at_fatcity.com=20
  href=3D"mailto:ORACLE-L_at_fatcity.com">Multiple recipients of list = ORACLE-L</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Wednesday, September 27, =
2000 8:30=20
  PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Unix Security for Unix =

  Gurus</DIV>

<DIV><BR></DIV>
<DIV><FONT face=3DArial>
<P><FONT face=3D"Times New Roman" size=3D2>Hi,</FONT></P>
<P><FONT face=3D"Times New Roman" size=3D2>I was going thru the Unix =
documentation=20
  and came across the following.</FONT></P>
<P><FONT face=3D"Times New Roman" size=3D2>This is about setting PATH. =
The=20
  following is one of the suggestions for setting efficient = PATH.</FONT></P>
<P><FONT face=3D"Times New Roman"><FONT size=3D2><STRONG>If security =
is not a=20
  concern, put the current working directory (.) first in the=20   path.</STRONG></FONT></P>
<P><FONT size=3D2><STRONG>However, including the current working =
directory in=20
  the path poses a security risk</STRONG></FONT></P>
<P><FONT size=3D2><STRONG>that you might want to avoid, especially for =

  superuser.</STRONG></FONT></P>
<P><FONT size=3D2>My question is how does setting the current =
directory pose a=20
  security threat?</FONT></P>
<P><FONT size=3D2>TIA</FONT></P>
<P><FONT size=3D2>Sanjay=20

Kumar</FONT></P></FONT></FONT></DIV></BLOCKQUOTE></BODY></HTML> Received on Thu Sep 28 2000 - 08:19:47 CDT