Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10 5/3/83; site sequel.UUCP Path: utzoo!linus!decvax!tektronix!ogcvax!sequel!van From: van@sequel.UUCP Newsgroups: net.unix-wizards Subject: Re: Security and $PATH Message-ID: <241@sequel.UUCP> Date: Tue, 2-Aug-83 13:59:45 EDT Article-I.D.: sequel.241 Posted: Tue Aug 2 13:59:45 1983 Date-Received: Wed, 3-Aug-83 10:17:00 EDT References: <396@houxq.UUCP> <939@rlgvax.UUCP> Organization: Sequel Computer Systems, Portland Lines: 22 The discussion of whether to allow '.' in the $PATH reminds me of an incident that occurred where I used to work. When we first got our VAX/UNIX system up one of the people in charge of the system wrote two utilities which he called au (add user) and du (delete user) and which were very useful for doing those jobs. He placed these in the /etc directory. About 3 months later the other system administrator was trying to determine how much disk space was used by a certain user. So he typed 'du /user/user_name', unfortunately he was in /etc at the time and '.' was the first entry in his $PATH. When du didn't print the expected data on the screen he scratched his head and typed 'du /user/*', fortunately a few seconds into this he aborted the command. By that time though he had removed 4 users and their entire directory structures and partially removed a fifth (me). Needless to say du was quickly renamed 'removeuser' and the administrator paid the price by having to spend a couple of days restoring all our files from backup tapes. I hope that this illustrates the problem of having '.' at the start of your $PATH and the problem of not choosing resonable names for dangerous utilities. -- John Vander Borght ...pur-ee!sequel!van