Re: PATH and security

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PATH and security

From:	Jim Meyering
Subject:	Re: PATH and security
Date:	Wed, 23 Apr 2008 08:14:08 +0200

Eric Blake <address@hidden> wrote:
> According to Jim Meyering on 4/22/2008 5:13 PM:
> |>> If security isn't enough of an argument, you can consider this yet another
> |>> reason not to put "." early in your PATH.  Please consider removing
> |>> "." from your PATH altogether.
>
> | Besides, I recognize that no system is immune from risk.
> | I.e., a bug in my browser may allow malicious code to create
> | that /tmp/ls file you mentioned.
>
> I personally like having . in my PATH on systems I manage, but only at the
> end and never first, so I can guarantee that any important program (like
> /bin/ls) cannot be inadvertently replaced by a malicious /tmp/ls.

With "." anywhere in your PATH, you're still subject to the risk of the
classic typo-trojan.  I.e., if someone/something creates /tmp/sl and
you type e.g., "sl" instead of "ls" while in /tmp.

[Prev in Thread]

Current Thread

[Next in Thread]

coreutils-6.11: misc tests are PATH dependent, Bruno Haible, 2008/04/20
- Re: coreutils-6.11: misc tests are PATH dependent, Jim Meyering, 2008/04/20
  - Re: coreutils-6.11: misc tests are PATH dependent, Bruno Haible, 2008/04/20
    - Re: coreutils-6.11: misc tests are PATH dependent, Jim Meyering, 2008/04/20
  - Re: PATH and security, Bruno Haible, 2008/04/20
    - Re: PATH and security, James Youngman, 2008/04/22
    - Re: PATH and security, Jim Meyering, 2008/04/22
    - Re: PATH and security, Eric Blake, 2008/04/23
    - Re: PATH and security, Jim Meyering <=

Prev by Date: Re: Bash vs. sh
Next by Date: Re: coreutils-6.11 released
Previous by thread: Re: PATH and security
Next by thread: Re: [Coreutils-announce] coreutils-6.11 released
Index(es):
- Date
- Thread