Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Mon, Nov 10, 2003 at 06:40:07PM -0500, David Kramer wrote:
> Usually . ( the current directory) is in the $PATH for regular
> users, however it is almost never in the $PATH for root, for the
> safety reasons already mentioned.   Since . is not in your path, I
> will assume you are logged in as root.

These days, it is never a good idea to have '.' in your PATH.  Even if
an attacker can't run code as root using the method described, he
might be able to get a regular user to run code for him.  If the
sysadmin (often the sole user) of the system hasn't kept up with
patches, even that could lead to a root compromise.

I believe some Linux distros have (relatively) recently removed '.'
from the default user PATH for that reason.

> You won't find this in a lot of manuals, but as a good practice, you
> should only be root when you have to.    Since you have multiple
> screens, just log one in as root and only use it for things you need
> to be root for.  This greatly reduces the change of "Bad Things
> Happening To Good People".

This is very sound advice, always.

Derek D. Martin
This message is posted from an invalid address.
Replying to it will result in undeliverable mail.
Sorry for the inconvenience.  Thank the spammers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <>

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /