[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: To "." or not to "."?

To: <misc@openbsd.org>
Subject: Re: To "." or not to "."?
From: "anonymous" <vcharlie@mindspring.com>
Date: Sun, 12 Jan 2003 22:01:20 -0600
References: <200301130355.h0D3tH1D022557@cvs.openbsd.org>

I was just wondering if it is bad for security to have "." or ":." at the
end of the path, or if removing it would break anything.

For example, I ran into this when X wouldn't work for non-root user with the
default:

. . .   :/usr/games:/usr/X11R6/bin.

(with a "." at the end, after "bin", with no space in between), but either
removing the "." from the end or changing the end to ":." allowed non-root
access to X.

?

----- Original Message -----
From: Theo de Raadt <deraadt@cvs.openbsd.org>
To: anonymous <vcharlie@mindspring.com>
Cc: <misc@openbsd.org>
Sent: Sunday, 2003 January 12 21:55
Subject: Re: To "." or not to "."?


> User expectation reality does not let us remove it.  This will not be
> changed.
>
> > Hi,
> >
> > 1)  I am wondering why in the OpenBSD 3.2 default user .profile path
> > statement, the current directory (".") is:
> >
> >  . . . :/usr/games:/usr/X11R6/bin.                         (with a "."
at
> > the end, after "bin", with no space in between).
> >
> > If the "." is just to add the current directory to the path statement,
> > shouldn't there be a colon (":") before the ".", like there is in front
of
> > the other directories in the path statement?  Like this:
> >
> >  . . . :/usr/games:/usr/X11R6/bin:.                         (with a "."
at
> > the end, after ":bin", with no spaces in between).
> >
> >
> > 2)  If the "." is removed, I guess this means that the shell can not run
an
> > executable file that is in the current directory (when not in the path
> > statement) unless it is explicitly called, as in:
> >
> > ./<program_name>
> >
> > I have been told that "." may be in the path statement just to include
the
> > current directory to the path, and that  "Most people find that to be
bad
> > form. It lets your shell, and any program run from it, run any
executable
> > where it can get to its directory. I would suggest taking that out for
> > security's sake."  Is that correct?  If so, since OpenBSD is designed to
be
> > "secure by default",  shouldn't the "." be absent from the path
statement by
> > default?
> >
> > ?

References:
- Re: To "." or not to "."?
  - From: Theo de Raadt <deraadt@cvs.openbsd.org>

Prev by Date: Re: To "." or not to "."?
Next by Date: help diagnosing php / mysql web access problems
Prev by thread: Re: To "." or not to "."?
Next by thread: Re: To "." or not to "."?
Index(es):
- Date
- Thread