[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PATH and security
From: |
Bruno Haible |
Subject: |
Re: PATH and security |
Date: |
Sun, 20 Apr 2008 21:14:03 +0200 |
User-agent: |
KMail/1.5.4 |
Jim Meyering wrote:
> If security isn't enough of an argument, you can consider this yet another
> reason not to put "." early in your PATH. Please consider removing
> "." from your PATH altogether. Yes, that does make for some small amount
> of extra typing (you have to prefix certain commands with "./"), but
> that is a small price to pay for the reduced risk of mishap.
> [Sorry to harp on this again, but I wouldn't want readers to get the
> impression that it's ok to have "." *anywhere* in PATH, much less
> near the beginning. ]
The only security argument I've seen so far against "." in PATH is that
every user, at some point in time, does things like
$ cd /tmp
$ ls -l
and another user on the same machine may have stored a malicious program
at /tmp/ls.
A similar argument holds for group-writable directories on machines where
you don't trust all users of the same group.
But when you are on a LAN where you trust all users, or on a firewalled
machine where you are the only user and even your own sysadmin, I see no
point in reducing the PATH. - If you trust everyone in your house, and have
a lock at the door of your house, would you also lock your bedroom's door
at night?
Bruno