--pgp-sign-Multipart_Tue_Mar_27_18:08:49_2007-1
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

At Mon, 26 Mar 2007 22:13:41 +0100, David Laight wrote:
Subject: Re: build.sh breakage?
>=20
> On Sun, Mar 25, 2007 at 10:33:25PM -0500, Brian A. Seklecki wrote:
> > There's always the possibility you're $PWD is a og+w bit
> > (/tmp, /var/tmp) and someone slips in an executable shell script there
> > for a command you might type that isn't located in $PATH yet.

(/tmp and /var/tmp should be mounted with "-o noexec,nodev" of course)

> Indeed, so if you run as root, with '.' in your $PATH, on a system
> where other people might put stuff into odd directories, you are stupid.

Indeed.

The same rule about relative paths in $PATH should also apply those who
who use "su" to attain other privileges, especially superuser
privileges, i.e. don't use relative PATH elements under your normal
user-ID either!


> There are a lot of other ways a root user can shoot themselves in the foo=
t!

How true!

--=20
						Greg A. Woods

H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>       Secrets of the Weird <woods@weird.com>

--pgp-sign-Multipart_Tue_Mar_27_18:08:49_2007-1
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: 2zUZYRSh0J50CgqwrvNdMFz1KAcCsSs2

iQA/AwUBRgmkA2Z9cbd4v/R/EQJmdwCfUCMH2A+TwbN0XOt9T8DsAlcIVOQAnipm
bH3R5R6/JIQPj/1s+rGkhliL
=jUbG
-----END PGP SIGNATURE-----

--pgp-sign-Multipart_Tue_Mar_27_18:08:49_2007-1--