|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Well, thats why you dont have "." in your path. Altho full paths are
always a good habit.
J.
When I grow up, I wanna be more like me.
I had a clue. I didn't like it. I took it back and exchanged it for an
attitude.
On Fri, 3 Sep 1999, Hugh Brock wrote:
> In general, if I'm not mistaken, you don't want much in the search path
> for the superuser, if for no other reason than that you want to get in
> the habit of typing the full path for every command you run as root
> (e.g. "/bin/ls", not just "ls").
>
> Why? If an attacker was able to gain normal-user status on your system,
> she could plant a trojan-horse "ls" (for example) in the compromised
> user's home directory that emails /etc/passwd to an address in Botswana,
> or something worse. Then when you go to that directory as root and type
> "ls", which you will probably do at some point, the trojan horse ls gets
> executed with root privileges. If, on the other hand, you type /bin/ls,
> nothing happens other than that you wonder "hey, what's this 'ls' doing
> in joe user's home directory?"
>
> (See 'Practical Unix and Internet Security' for more... best $40 I ever
> spent...)
>
> --Hugh
>
> _______________________________________________
> Plug maillist - Plug@lists.nothinbut.net
> http://lists.nothinbut.net/mail/listinfo/plug
>
_______________________________________________
Plug maillist - Plug@lists.nothinbut.net
http://lists.nothinbut.net/mail/listinfo/plug
|
|