Quote:
Originally posted by log
Why is putting . in the path a bad idea?
I cant see any problem with it off the top of my head?
|
Linux security has its reasons.
You can get away with this as a regular user
provided you put :.: at the
end of your path. However, never do this to root's path.
Why? Well, the bad guys are really bad. Someone posts a program in tarball or RPM format, it doesn't matter; but it sounds like a great proggy to have so you download it, and you do a configure, make, make install (for the tarball, say). however, unbeknownst to you, it also deposits a keystoke logger daemon named 'ls' in your home directory. Well, later in the day you cd to your home directory and do a simple ls. Guess what happens. You got it, the ls in your home directory is run and not /bin/ls, and all because you had "." in your path before /bin, so the "bad" ls is found first.
If the bad guys are smart, you will get a working ls command and you will never know the difference, but your passwords, credit card numbers, etc. will happily be sent out to the internet someplace. Unless you pay close attention you may find out way too late.
So, my advice is don't do it. If you must, do only for a regular user account, put it at the end of the path, and never, ever, ever (did I say never, ever?
) do it for root.
Cheers--
Charles