On 2002-05-13 at 22:18:56 [+0200], openbeos@xxxxxxxxxxxxx wrote: > On Mon, 13 May 2002 19:48:02 +0200 > Linus Almstrom <linalm-7@xxxxxxxxxx> wrote: > >On 2002-05-13 at 19:41:06 [+0200], openbeos@xxxxxxxxxxxxx wrote: > >> Well, maybe I'm rambling. Could you just explain this security issue? > > > >The issue is wether the ./ path should be in the PATH environment > >variable or not. Having the ./ path in it is a security risk, since any > >user could write a simple script, put it somewhere and name it to cp or > >whatever. If you go to that dir and type "cp" in hope to copy some > >files, the script is executed, since the ./ path is in the PATH env var. > >This is very likely on mulituser systems and a big security risk. > > I don't see how this is a security risk. It's very possible I might want > to have a script in a folder that has the same name has a common command > like cp. > There real issue, I think, is if another user is sticking these files > into > another users directory. In this case looking at ./ isn't looking at the > real issue because security has already been broken because this user is > sticking stuff in a folder that belongs to another user. Any user could have a script in their home dir somewhere, and when another user comes there, executing "cp" the first user could do whatever he likes with the second users account. "rm -R ~/" is vicious and might cause a lot of trouble for the first user. Regards /Procton