Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!decvax!harpo!floyd!vax135!ariel!hou5f!hou5e!hou5d!hogpc!houxq!3723edm From: 3723edm@houxq.UUCP (E.MANTEL) Newsgroups: net.unix-wizards Subject: Security and $PATH Message-ID: <396@houxq.UUCP> Date: Sat, 30-Jul-83 15:45:17 EDT Article-I.D.: houxq.396 Posted: Sat Jul 30 15:45:17 1983 Date-Received: Mon, 1-Aug-83 08:50:59 EDT Lines: 12 On the UNIX systems I am familiar with (running USG 5.0), the PATH variable is set, both in /etc/profile and in login, to begin with a ':', meaning that the current directory is the first directory to be searched. It seems to me that this is a significant security hole, because it means that a user can set a booby trap by writing a shell that has the same name as a common command, but does something significantly different. Is it a common practice to have the default PATH begin with a ':'? Is there a real good reason to make this the default? Eli Mantel, houxq!3723edm, ABI ED&D Holmdel