Why is it Bad Idea to insert "." (Dot) to PATH ?


 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers Why is it Bad Idea to insert "." (Dot) to PATH ?
# 1  
Old 11-06-2005
Why is it Bad Idea to insert "." (Dot) to PATH ?

I was told that it's a Bad Idea (especially for root ) to Add To the Variable $PATH in unix the ":." (dot),
In order to execute programs in my current directory without typing ./program
For example: PATH=$PATH:$HOME/bin:.
Does someone know why is it a Bad Idea?
# 2  
Old 11-06-2005
Quote:
Originally Posted by amitbern
I was told that it's a Bad Idea (especially for root ) to Add To the Variable $PATH in unix the ":." (dot),
In order to execute programs in my current directory without typing ./program
For example: PATH=$PATH:$HOME/bin:.
Does someone know why is it a Bad Idea?
Simply because you may have something in your CWD that is the same name as a Unix command. For example (an extreme case I know), imagine you had this as a script called ls.
Code:
#! /usr/bin/ksh
rm -rf *

now imagine running that as root, from roots' $HOME
# 3  
Old 11-07-2005
In addition to avoiding accidents like reborg talked about, it is also a security issue. A virus, trojan, or hacker can insert nasty code with the same name as a common Unix command anywhere and hope root executes it by accident if "." at the start of root's path.

For example, if I break into your box as a normal non-root user, I could create a file named "cd" in some directory I have write access to. What if my script has one simple command:

rm -rf $1

Now when root tries to cd to anywhere from the directory I put my script in, it wipes out that directory instead. Alternately, you could have your script email vital files to the attacker, change data, or any other bad thing you can imagine. If you can trick root into running it for you, he's hosed.

It's basically the same thing as reborg said I guess. But you may have thought "I'd never name a script like that and cause a problem." My example above is why you still shouldn't have . in your path - you might not do something dumb yourself, but having . in the path makes it easier for the bad guys to get you.
 
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

find . -path "*_nobackup*" -prune -iname "*.PDF" \( ! -name "*_nobackup.*" \)

These three finds worked as expected: $ find . -iname "*.PDF" $ find . -iname "*.PDF" \( ! -name "*_nobackup.*" \) $ find . -path "*_nobackup*" -prune -iname "*.PDF" They all returned the match: ./folder/file.pdf :b: This find returned no matches: $ find . -path "*_nobackup*" -prune... (3 Replies)
Discussion started by: wolfv
3 Replies

2. Shell Programming and Scripting

grep with "[" and "]" and "dot" within the search string

Hello. Following recommendations for one of my threads, this is working perfectly : #!/bin/bash CNT=$( grep -c -e "some text 1" -e "some text 2" -e "some text 3" "/tmp/log_file.txt" ) Now I need a grep success for some thing like : #!/bin/bash CNT=$( grep -c -e "some text_1... (4 Replies)
Discussion started by: jcdole
4 Replies

3. Shell Programming and Scripting

Substituting comma "," for dot "." in a specific column when comma"," is a delimiter

Hi, I'm dealing with an issue and losing a lot of hours figuring out how i would solve this. I have an input file which looks like this: ('BLABLA +200-GRS','Serviço ','TarifaçãoServiço','wap.bla.us.0000000121',2985,0,55,' de conversão em escada','Dia','Domingos') ('BLABLA +200-GRR','Serviço... (6 Replies)
Discussion started by: poliver
6 Replies

4. Shell Programming and Scripting

"find . -printf" without prepended "." path? Getting path to current working directory?

If I enter (simplified): find . -printf "%p\n" then all files in the output are prepended by a "." like ./local/share/test23.log How can achieve that a.) the leading "./" is omitted and/or b.) the full path to the current directory is inserted (enclosed by brackets and a blank)... (1 Reply)
Discussion started by: pstein
1 Replies

5. Shell Programming and Scripting

awk command to replace ";" with "|" and ""|" at diferent places in line of file

Hi, I have line in input file as below: 3G_CENTRAL;INDONESIA_(M)_TELKOMSEL;SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL My expected output for line in the file must be : "1-Radon1-cMOC_deg"|"LDIndex"|"3G_CENTRAL|INDONESIA_(M)_TELKOMSEL"|LAST|"SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL" Can someone... (7 Replies)
Discussion started by: shis100
7 Replies

6. Shell Programming and Scripting

Regular Expression doesn't match dot "." in a string

hello, I am writting a regular expression that intend to match any tunnel or serial interface but it doesn't mtach any serial sub-interface. For example, statement should match "Tunnel3" or "Serial0/1" but shouldn't match "Serial0\1.1" (doesn't include dot ".") I tried the following but... (3 Replies)
Discussion started by: ahmed_zaher
3 Replies

7. Shell Programming and Scripting

Set command ending with a "." (dot)

Hi I have a "set" command which ends with a "." (dot), for example: set `grep "\<${pnum}\>" /tstmp/data.txt |sed 's/#//'` . Can somebody help me to understand the purpose of this "set" and "." combination? The problem is that this command does not produce the same result when run on AIX... (2 Replies)
Discussion started by: aoussenko
2 Replies

8. Shell Programming and Scripting

Idea for an "informative" bash alias or script

I had the idea come into my head that it would be good to have a single command that gave file type, file size, last modification date, and owner/group information, like what one would see in a GUI "Properties" dialog, but all in a terminal window. In my opinion, these statistics about a file... (5 Replies)
Discussion started by: SilversleevesX
5 Replies

9. Shell Programming and Scripting

read -p "prompt text" foo say "read: bad option(s)" in Bourne-Shell

Hallo, i need a Prompting read in my script: read -p "Enter your command: " command But i always get this Error: -p: is not an identifier When I run these in c-shell i get this error /usr/bin/read: read: bad option(s) How can I use a Prompt in the read command? (9 Replies)
Discussion started by: wiseguy
9 Replies

10. UNIX for Advanced & Expert Users

permission denied for ". " (dot space)

Hi, When I try to run a script with ". "(dot space) in my home, it gives me error ".: Permission denied". Any explanation for this behaviour? Thanks in advance, -Ashish (3 Replies)
Discussion started by: shriashishpatil
3 Replies
Login or Register to Ask a Question