bug-coreutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PATH and security

From: Eric Blake
Subject: Re: PATH and security
Date: Tue, 22 Apr 2008 23:01:46 -0600
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080213 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Jim Meyering on 4/22/2008 5:13 PM:
|>> If security isn't enough of an argument, you can consider this yet another
|>> reason not to put "." early in your PATH.  Please consider removing
|>> "." from your PATH altogether.

|
| Besides, I recognize that no system is immune from risk.
| I.e., a bug in my browser may allow malicious code to create
| that /tmp/ls file you mentioned.

I personally like having . in my PATH on systems I manage, but only at the
end and never first, so I can guarantee that any important program (like
/bin/ls) cannot be inadvertently replaced by a malicious /tmp/ls.

- --
Don't work too hard, make some time for fun as well!

Eric Blake             address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgOwroACgkQ84KuGfSFAYANfACgn04WGKCqJ+shKYcKvvbFc8X/
txgAn3JTJWtntANLifoj2gKzhWsqyBwU
=Nu2/
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]