What's wrong with having '.' in my $PATH ? - Unix

This is a discussion on What's wrong with having '.' in my $PATH ? - Unix ; I was told that it's a Bad Idea (especially for root ) to Add To $PATH in unix the ":." (dot) In order to execute programs in my current directory without typing ../program For example: PATH=$PATH:$HOME/bin:. Does someone know why ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: What's wrong with having '.' in my $PATH ?

  1. What's wrong with having '.' in my $PATH ?

    I was told that it's a Bad Idea (especially for root ) to Add To $PATH
    in unix the ":." (dot)
    In order to execute programs in my current directory without typing
    ../program
    For example: PATH=$PATH:$HOME/bin:.
    Does someone know why is it a Bad Idea?


  2. Re: What's wrong with having '.' in my $PATH ?

    amitbern@gmail.com writes:
    >I was told that it's a Bad Idea (especially for root ) to Add To $PATH
    >in unix the ":." (dot)
    >In order to execute programs in my current directory without typing
    >./program
    >For example: PATH=$PATH:$HOME/bin:.
    >Does someone know why is it a Bad Idea?


    Say somebody creates a /tmp/ls executable that does bad things.

    You decide to figure out why /tmp is so full, so you 'cd /tmp' and
    type ls. Sometimes people actually have . first in their $PATH and now
    you've just run their ls which gives somebody else root.

    But I notice you have . last. Maybe whoever did it notices that you
    typo ls alot and call it lss. So they also made a /tmp/lss that does
    bad things.

    Now when you go investigate why /tmp is full, and typo ls by typoing lss
    you run their program without any intention of doing so.

    This isn't a theoritical exploit, its been used many times with good success.

    There's really no reason why you couldn't put all your executables in
    your own ~/bin and putting it in your PATH. There's no good reason to
    want to run programs in the current directory.

  3. Re: What's wrong with having '.' in my $PATH ?

    amitbern@gmail.com said the following, on 11/06/05 08:25:
    > I was told that it's a Bad Idea (especially for root ) to Add To $PATH
    > in unix the ":." (dot)
    > In order to execute programs in my current directory without typing
    > ../program
    > For example: PATH=$PATH:$HOME/bin:.
    > Does someone know why is it a Bad Idea?
    >


    In a nutshell, it's because you want to be sure -- ESPECIALLY if you are
    root -- that you know which program you are running.

    Let's suppose that you have a clueless user (surely some mistake!) who
    allows his account to be compromised. EvilGuy logs in as Clueless. Now
    he has access to Clueless's files, but he still can't modify anything
    in, say, /usr/bin. (Note, though, he can generally create files in /tmp.)

    EvilGuy has a nasty program that he puts into Clueless's home directory,
    and maybe also in /tmp. He then, let's say, creates a bunch of crap
    files in the home directory until he hits the disk quota. He leaves,
    and the next time Clueless logs in, he calls to say that he can't create
    any files. You, as root, go to investigate, and *BAM* you've been had
    -- because EvilGuy called his nasty program 'ls'.

    --
    Rich Gibbs
    richg74@gmail.com
    "You can observe a lot by watching." -- Yogi Berra

  4. Re: What's wrong with having '.' in my $PATH ? (or null element, e.g. :: or starting or ending with :)

    Well, it's been answered, but to put it another way, ...
    lets say you do:

    $ cd some_directory_you_do_not_have_absolute_and_comple te_control_over
    $ some_command_or_typographic_variation_of_a_common_ command
    If the command found is the one in the current directory, then
    whomever or whatever wrote or placed that command there, henceforward
    has complete and total control of your ID, and can do anything they
    wish as your ID, and if they're sufficiently sneaky about it, you may
    never even know it happened. And of course you get all the blame,
    because it's done under your ID ... after all, you were the one who
    ran the nefarious command that started all the nastiness that ran
    under your ID.

    If the account is superuser (uid 0, usually root), then they now own
    your box. With other sufficiently privileged IDs (e.g. typically
    bin), they can typically quite quickly and trivially escalate their
    access to that of superuser.

    Anyway, hardly worth all that nasty risk when just typing ./ is
    sufficient to explicitly run the command present in the current
    directory.

    amitbern@gmail.com wrote:
    > I was told that it's a Bad Idea (especially for root ) to Add To $PATH
    > in unix the ":." (dot)
    > In order to execute programs in my current directory without typing
    > ./program
    > For example: PATH=$PATH:$HOME/bin:.
    > Does someone know why is it a Bad Idea?



  5. Re: What's wrong with having '.' in my $PATH ?

    Doug McIntyre writes:
    > amitbern@gmail.com writes:
    >>I was told that it's a Bad Idea (especially for root ) to Add To $PATH
    >>in unix the ":." (dot)
    >>In order to execute programs in my current directory without typing
    >>./program
    >>For example: PATH=$PATH:$HOME/bin:.
    >>Does someone know why is it a Bad Idea?


    [snip a bunch of stuff I agree with]

    >> There's really no reason why you couldn't put all your executables in

    > your own ~/bin and putting it in your PATH. There's no good reason to
    > want to run programs in the current directory.


    Actually, I run programs in the current directory all the time. For
    example, if I want to do a quick test of a small C program, I'll do:

    gcc foo.c -o foo && ./foo

    I don't want to put foo in ~/bin, since it's not intended to be run
    more than once.

    I've just developed the habit of using the "./" prefix whenever I want
    to run something in the current directory.

    This also avoids another problem (though not nearly as bad as the
    "/tmp/ls" security hole). Suppose I have "." in my $PATH, and I call
    the C program "test.c":
    gcc test.c -o test && test

    Since "test" is commonly a shell builtin, this won't execute my
    program. Since the "test" command with no arguments produces no
    output, this can be difficult to track down until you figure out what
    the problem is.

    --
    Keith Thompson (The_Other_Keith) kst-u@mib.org
    San Diego Supercomputer Center <*>
    We must do something. This is something. Therefore, we must do this.

  6. Re: What's wrong with having '.' in my $PATH ?

    Hello,
    I just would like to add, that this question is answered in much
    detail in the FAQ for this group. The FAQ is posted frequently (last
    time last week) and contains a lot of useful information.
    Every poster to a newsgroup should read the FAQ in order to avoid
    unnecessary wasting of bandwidth.
    Alois


+ Reply to Thread