Thank you Yaron and Josh!! When I saw your emails, I had that kind an Ah moment!! I know its a big security problem...... I was just wanted to understand what was going on. Thanks Brock On 6/1/05, Yaron <tclug at freakzilla.com> wrote: > > On Wed, 1 Jun 2005, Brock Noland wrote: > > > When running script which is not in my path I have always used > > ./script_name. However at my current job most people are used not > > having to use the ./. My question is how do you get scripts to run > > WITHOUT the ./? > > That's because they have the current directory in the path. > > THIS IS A HUGE SECURITY VULNERABILITY and you should never, EVER do it. > Keep using the ./script. It's MUCH better than compromising security on > your box. I cannot stress this enough: do NOT add Current Directory to the > path. > > > > Here's why this is important. One method of cracking a machine is > replacing commonly run programs with trojan versions of the same program. > It might be hard to replace /bin/ls, but NOT that hard to drop your trojan > 'ls' program in many different directories. /tmp, for example, is always > world-writable. > > So lets say I put a trojan version of ls, cp, mv, ssh or whatever in /tmp. > And then you cd to /tmp and execute one of these programs. > > If Current Directory is in your path, you've just run one of my trojans. > > So, once again. DON'T DO IT. > > > -Yaron > > -- > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > tclug-list at mn-linux.org > http://mailman.mn-linux.org/mailman/listinfo/tclug-list >