[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SLUG] PATH=$PATH.

To: Minh Van <mle@nospam.mail.usyd.edu.au>
Subject: Re: [SLUG] PATH=$PATH.
From: John Ferlito <johnf@nospam.inodes.org>
Date: Sat, 27 May 2000 22:03:32 +1000
Cc: slug@nospam.slug.org.au
In-Reply-To: <Pine.LNX.3.96.1000527204533.16664J-100000@nospam.linux>; from mle@nospam.mail.usyd.edu.au on Sat, May 27, 2000 at 09:15:31PM +0000
References: <Pine.LNX.3.96.1000527204533.16664J-100000@nospam.linux>
Sender: owner-slug@nospam.newtreno.spectrum.com.au
User-Agent: Mutt/1.0.1i

On Sat, May 27, 2000 at 09:15:31PM +0000, Minh Van wrote:
> can i execute binary files in the $PWD first without having to have $PWD
> in $PATH ? or do i have to source a function in bashrc ? the best thing i
> can think of that suits my purpose is "PATH=$PATH:.".
> 
	
	The main problem with having . in your path is of course security.
Best is example is if you have . in your path and I put a file in /tmp that
looks like this

#!/bin/sh
cd $HOME
rm -rf *

Then go cd into /tmp and run ls well pretty disastorous things are going to happen.
Some people will tell you that putting the dot at the end of your path is safe because 
the ls in /bin will get run first. But how many times do you accidently time la instead 
of ls, or maybe you've been using DOS to long and start typing commands like copy by accident.
I can just rename my evil script to do something like that.

> apparently people think this style is dangerous and promotes bad habits.
> but i don't understand why this style is different to putting scripts in
> $PATH and being able to run them.

	The difference here is that if you put $HOME/bin in your path you should be the
only person with permissions to write scripts in that directory so you can't do the /tmp 
trick.

> 
> there was also another suggestion that i got from people, and that was to
> use "PATH=$PATH:.." ie. two with "."s.

	That will put $PWD/.. in your path ie the parent directory, probably not
very useful and just as dangerous.

> 
> i've also conducted my own tests for "PATH=$PATH:./", which seems to do
> the same thing.

	Same as dot just as dangerous.

	You basically need to decide wether it's safe to put . in your path. If it's on a
machine that only you use at home then it's probably not too much of a problem unless somebody
hacks into your box but then you've got bigger problems :) But it will possibly lead to bad habits 
and when you move to a public box you'll get annoyed with not having it and put it in anyway.

	Besides it's not that hard to type ./ in front of commands not in your path is it?

PGP signature

Follow-Ups:
- Re: [SLUG] PATH=$PATH.
  - From: Ian Tester <imroy@nospam.zip.com.au>

References:
- [SLUG] PATH=$PATH.
  - From: Minh Van <mle@nospam.mail.usyd.edu.au>

Prev by Date: [SLUG] PATH=$PATH.
Next by Date: Re: [SLUG] PATH=$PATH.
Prev by thread: [SLUG] PATH=$PATH.
Next by thread: Re: [SLUG] PATH=$PATH.
Index(es):
- Date
- Thread