This article is from the the Brief Linux FAQ (BLFAQ) Maintained by Neil Zanella firstname.lastname@example.org
Adding '.' to root's PATH would be a security risk. Imagine the case where a malicious user creates a file called /tmp/ls containing a command sequence such as
# Caution: This script removes everything from the Linux file system. cat /tmp/ls rm -Rf /
and you as root wander into temp and want to see what files are there. If the . occurs in root's path before /bin then typing ls at the shell prompt will execute the malicious command instead. Alternatively, the malicious command could be named mroe, ls-l, caat, lss, or similar in which case a typo on root's behalf would cause it to be executed even if . is the last entry in root's path. Finally, the malicious command may be set to copy /bin/bash to a hidden spot and change permissions of the copy to suid ( -rws---r-x ) so that anyone executing the hidden copy would have root permissions.