Message-Id: <10633.118143@fatcity.com>
From: "Allan Nelson" <anelson@houston.rr.com>
Date: Thu, 28 Sep 2000 08:19:47 -0500
Subject: Re: Unix Security for Unix Gurus

This is a multi-part message in MIME format.

------=_NextPart_000_046B_01C02924.DD4015E0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Because a malicious person could put a program named ls for instance, in =
your current directory.  If you then executed ls you would pick up the =
trojan and excute that instead of your expected command.

Allan
  ----- Original Message -----=20
  From: Sanjay Kumar=20
  To: Multiple recipients of list ORACLE-L=20
  Sent: Wednesday, September 27, 2000 8:30 PM
  Subject: Unix Security for Unix Gurus


  Hi,

  I was going thru the Unix documentation and came across the following.

  This is about setting PATH. The following is one of the suggestions =
for setting efficient PATH.

  If security is not a concern, put the current working directory (.) =
first in the path.

  However, including the current working directory in the path poses a =
security risk

  that you might want to avoid, especially for superuser.

  My question is how does setting the current directory pose a security =
threat?

  TIA

  Sanjay Kumar


------=_NextPart_000_046B_01C02924.DD4015E0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Because a malicious person could put a =
program=20
named ls for instance, in your current directory.&nbsp; If you then =
executed ls=20
you would pick up the trojan and excute that instead of your expected=20
command.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Allan</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
  <DIV=20
  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
  <A title=3Dora_user@hotmail.com =
href=3D"mailto:ora_user@hotmail.com">Sanjay=20
  Kumar</A> </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3DORACLE-L@fatcity.com=20
  href=3D"mailto:ORACLE-L@fatcity.com">Multiple recipients of list =
ORACLE-L</A>=20
  </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Wednesday, September 27, =
2000 8:30=20
  PM</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Unix Security for Unix =

  Gurus</DIV>
  <DIV><BR></DIV>
  <DIV><FONT face=3DArial>
  <P><FONT face=3D"Times New Roman" size=3D2>Hi,</FONT></P>
  <P><FONT face=3D"Times New Roman" size=3D2>I was going thru the Unix =
documentation=20
  and came across the following.</FONT></P>
  <P><FONT face=3D"Times New Roman" size=3D2>This is about setting PATH. =
The=20
  following is one of the suggestions for setting efficient =
PATH.</FONT></P>
  <P><FONT face=3D"Times New Roman"><FONT size=3D2><STRONG>If security =
is not a=20
  concern, put the current working directory (.) first in the=20
  path.</STRONG></FONT></P>
  <P><FONT size=3D2><STRONG>However, including the current working =
directory in=20
  the path poses a security risk</STRONG></FONT></P>
  <P><FONT size=3D2><STRONG>that you might want to avoid, especially for =

  superuser.</STRONG></FONT></P>
  <P><FONT size=3D2>My question is how does setting the current =
directory pose a=20
  security threat?</FONT></P>
  <P><FONT size=3D2>TIA</FONT></P>
  <P><FONT size=3D2>Sanjay=20
Kumar</FONT></P></FONT></FONT></DIV></BLOCKQUOTE></BODY></HTML>