[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: why is there . [dot] in default PATH?

On Tue, 2006-04-04 at 21:15 +0200, RedShift wrote:
> I cannot see how this would be exploitable. root doesn't have . in it's 
> PATH. Other people were discussing cat and cta for example. For this to 
> work, one would have to be able to write to the victim's home directory, 
> and - of course - the victim would have to make that typo. And it only 
> works when targeting a user, not the computer itself.
> I would consider it something handy, in case you don't have write access 
> outside your home directory, so you can use your own executables, that 
> can be executed without adding the full path.
> In my opinion this bug|feature|exploit doesn't pose any threat to system 
> security.
> Actually that . has been there since the very first version of 
> skel/dot.profile CVS check in.
> Glenn

Can see your point here, but I prefer to play on the paranoid side of
fence hence my dislike of this.  I'm not sure it should be there by
default, rather if you like it you should add it.