./

[invalid at pizzashack.org (Derek Martin)]

On Mon, Nov 10, 2003 at 06:40:07PM -0500, David Kramer wrote:
> Usually . ( the current directory) is in the $PATH for regular
> users, however it is almost never in the $PATH for root, for the
> safety reasons already mentioned.   Since . is not in your path, I
> will assume you are logged in as root.

These days, it is never a good idea to have '.' in your PATH.  Even if
an attacker can't run code as root using the method described, he
might be able to get a regular user to run code for him.  If the
sysadmin (often the sole user) of the system hasn't kept up with
patches, even that could lead to a root compromise.

I believe some Linux distros have (relatively) recently removed '.'
from the default user PATH for that reason.

> You won't find this in a lot of manuals, but as a good practice, you
> should only be root when you have to.    Since you have multiple
> screens, just log one in as root and only use it for things you need
> to be root for.  This greatly reduces the change of "Bad Things
> Happening To Good People".

This is very sound advice, always.

-- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.
Replying to it will result in undeliverable mail.
Sorry for the inconvenience.  Thank the spammers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/20031111/9d58f569/attachment.sig>