This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Latest cygwin.bat - need one

On Mon, 12 Dec 2011, Mike Brown wrote:
Doing some more digging I found
the following posting (via google):

> Does changing 'bash' to '/bin/bash' make a difference?

Answering my own question: yes.

   There was a change in execvp()'s behaviour to no longer look up
   an executable in the current working directory, wasn't there? I
   can't find it in the ChangeLog though.

You've got to be kidding. Why was the looking into CWD removed?

PATH specifies the list of directories to search for executables. So if execvp() ever used "." unconditionally regardless of PATH, then it violated one of the most long-standing UNIXy rules.

It can also be a massive security hole.  On a multi-user system,
I can put a script named "ls" in /tmp, or other likely directory for
others to cd to, to
- copy /bin/bash to some location
- set the setuid bit and setgid on this copy
- run /bin/ls
  (Bonus points: somehow filter out this nasty ls script if they are
  looking at /tmp.  This is hard.)
Anyone foolish enough to put "." near the start of their PATH and who
    cd /tmp
would thereby get their account hacked, and changing their password
would do no good.  I removed "." from my PATH in the 1980s for just
this reason.  At least if "." is after standard system directories
like /bin /usr/bin, it mitigates the problem to a large extent: it
catches only typos and attempts to run programs that you don't have
installed.  I wonder if there are any common typos to try for.

If execvp() ever looked in "."  unconditionally, there would be no way
to ever completely close this security hole.

Tim McDaniel,

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]