Description
This article is from the the Brief
Linux FAQ (BLFAQ) Maintained by Neil Zanella
nzanella@ganymede.cs.mun.ca
023. I want to add '.' to root's PATH, to allow me to not have to put ./ in front of every local command I type. But I hear this is a bad thing. Why?
Adding '.' to root's PATH would be a security risk. Imagine the case where a
malicious user creates a file called /tmp/ls containing a command sequence
such as
# Caution: This script removes everything from the Linux file system.
cat /tmp/ls
rm -Rf /
and you as root wander into temp and want to see what files are there. If
the . occurs in root's path before /bin then typing ls at the shell prompt
will execute the malicious command instead. Alternatively, the malicious
command could be named mroe, ls-l, caat, lss, or similar in which case a
typo on root's behalf would cause it to be executed even if . is the last
entry in root's path. Finally, the malicious command may be set to copy
/bin/bash to a hidden spot and change permissions of the copy to
suid ( -rws---r-x ) so that anyone executing the hidden copy would have
root permissions.
Continue to:
Share and Enjoy
Bookmark this story so others can enjoy it:
Tags
linux, os, faq
