[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PATH and security
From: |
Jim Meyering |
Subject: |
Re: PATH and security |
Date: |
Wed, 23 Apr 2008 08:14:08 +0200 |
Eric Blake <address@hidden> wrote:
> According to Jim Meyering on 4/22/2008 5:13 PM:
> |>> If security isn't enough of an argument, you can consider this yet another
> |>> reason not to put "." early in your PATH. Please consider removing
> |>> "." from your PATH altogether.
>
> | Besides, I recognize that no system is immune from risk.
> | I.e., a bug in my browser may allow malicious code to create
> | that /tmp/ls file you mentioned.
>
> I personally like having . in my PATH on systems I manage, but only at the
> end and never first, so I can guarantee that any important program (like
> /bin/ls) cannot be inadvertently replaced by a malicious /tmp/ls.
With "." anywhere in your PATH, you're still subject to the risk of the
classic typo-trojan. I.e., if someone/something creates /tmp/sl and
you type e.g., "sl" instead of "ls" while in /tmp.