On Tue, 14 May 2002 23:08:51 +0200 Linus Almstrom <linalm-7@xxxxxxxxxx> wrote: >On 2002-05-14 at 22:49:02 [+0200], openbeos@xxxxxxxxxxxxx wrote: >> To me this is just a 'safety net' for folders accessable by multible >> users (or even just one user). If a user is stupid enough to name a >> script the same as a common program the users is definitely asking for >> problems (problems unrelated to security). > >Stupid? >I do not think you understand. If you execute an application somewhere >(in another users home tree) the application get your rights, which means >that the one that created and put the application there deliberately can >get any kind of information from you or erase all your own files. In multiuser systems I'd definitely be careful about what programs I run. Hows this relate to ./? > >There are also stuff like suid, but that is a completely different >business, sort of anyway. > >> Espacially so if the user >> doesn't inform the other users of the group about this script. I said >> that the 'problem' aren't security related. I mean that to mean that it >> won't help hackers break through security. The script could loosen >> security for folders that belong to the group. As I said earlier a user >> would be stupid to do that and deserves to have his hand slapped. > >What are you talking about? That does not seem to have anything to do with >what the discussion is about. I'm trying to understand what the security issue with ./ is. Based on what I've been told I'm explaining what I see. If my explaination is wrong could you correct me. Thanks. >> I say keep the ./ in there by default. I'm always for giving a user all >> the options. If the user wants to try to do something risky let them as >> it could only affect themselves. > >I say the other way around... Leave out the "./" and let the powerusers >add it if they feel they understand what they are doing. Maybe I'll think that once I understand this security issue. Scott MacMaster <zqxh@xxxxxxx> ----------------------------- Indiana University of Pennsylvania - student www.CodeLiege.com