[openbeos] Re: . or no .
- From: Linus Almstrom <linalm-7@xxxxxxxxxx>
- To: openbeos@xxxxxxxxxxxxx
- Date: Tue, 14 May 2002 00:02:23 +0200
On 2002-05-13 at 22:18:56 [+0200], openbeos@xxxxxxxxxxxxx wrote:
> On Mon, 13 May 2002 19:48:02 +0200
> Linus Almstrom <linalm-7@xxxxxxxxxx> wrote:
> >On 2002-05-13 at 19:41:06 [+0200], openbeos@xxxxxxxxxxxxx wrote:
> >> Well, maybe I'm rambling. Could you just explain this security issue?
> >
> >The issue is wether the ./ path should be in the PATH environment
> >variable or not. Having the ./ path in it is a security risk, since any
> >user could write a simple script, put it somewhere and name it to cp or
> >whatever. If you go to that dir and type "cp" in hope to copy some
> >files, the script is executed, since the ./ path is in the PATH env var.
> >This is very likely on mulituser systems and a big security risk.
>
> I don't see how this is a security risk. It's very possible I might want
> to have a script in a folder that has the same name has a common command
> like cp.
> There real issue, I think, is if another user is sticking these files
> into
> another users directory. In this case looking at ./ isn't looking at the
> real issue because security has already been broken because this user is
> sticking stuff in a folder that belongs to another user.
Any user could have a script in their home dir somewhere, and when
another user comes there, executing "cp" the first user could do whatever
he likes with the second users account.
"rm -R ~/" is vicious and might cause a lot of trouble for the first
user.
Regards
/Procton
Other related posts:
