Security hole in Cygwin FAQ

[Steve Kelem]

The  Cygwin FAQ
says:
Shell scripts aren't running properly from my makefiles?
You need to have . (dot) in your $PATH. You should NOT need to add /bin/sh
in front of each and every shell script invoked in your Makefiles.
If you need to execute something in the current directory, call for it
explicitly, as ./foobar , not as foobar and count on the
current directory being in your path.
According to Practical Unix Security , by Garfinkel & Spafford
(O'Reilly & Associates), page 152:
The current directory, as designated by a null directory or
period, should never be included in the search path.
The reason being that an attacker can put a password-catching program or
other malicious program under a commonly-used name, such as ls ,
su , rlogin , login , ftp , etc. By placing
the trojan horse in a place where you might execute it, such as /tmp ,
or by subterfuge suggested in the book, if " . " is in the path,
the unsuspecting user will execute the trojan horse instead of the intended
program.
The authors recommend:
We strongly recommend that you get in the habit of typing the
full pathname of commands when you are running as root .  For
example, instead of just typing chown, type /etc/chown to be sure you are
getting the system version!  This may seem like extra work, but when
you are running as root, you also bear extra responsibility.  No only
will this help protect you against changes in your search path, it will
also prevent surreptitiously-set aliases from working.
Granted, there isn't much security on Windows. However, you shouldn't reinforce
bad practices.
Steve Kelem
begin:vcard 
n:Kelem;Steve
tel;fax:408-399-8905
tel;work:408-335-2718
x-mozilla-html:FALSE
url: http://www.adaptivesilicon.com
org:Adaptive Silicon, Inc.
adr:;;985 University Ave., Suite 31;Los Gatos;CA;95032-7639;U.S.
version:2.1
email;internet:kelem@adaptivesilicon.com
title:Chief Scientist
fn:Steve Kelem
end:vcard