Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!linus!decvax!harpo!floyd!vax135!ariel!hou5f!hou5e!hou5d!hogpc!houxq!3723edm
From: 3723edm@houxq.UUCP (E.MANTEL)
Newsgroups: net.unix-wizards
Subject: Security and $PATH
Message-ID: <396@houxq.UUCP>
Date: Sat, 30-Jul-83 15:45:17 EDT
Article-I.D.: houxq.396
Posted: Sat Jul 30 15:45:17 1983
Date-Received: Mon, 1-Aug-83 08:50:59 EDT
Lines: 12

On the UNIX systems I am familiar with (running USG 5.0), the PATH variable is
set, both in /etc/profile and in login, to begin with a ':', meaning that the
current directory is the first directory to be searched.

It seems to me that this is a significant security hole, because it means that
a user can set a booby trap by writing a shell that has the same name as a
common command, but does something significantly different.

Is it a common practice to have the default PATH begin with a ':'?
Is there a real good reason to make this the default?

	Eli Mantel, houxq!3723edm, ABI ED&D Holmdel