Security Warning (esp. re. Tom Roell's X-server)

David Rector drector at orion.oac.uci.edu
Fri Dec 21 10:34:12 AEST 1990


I am compiling Tom Roell's X-server and have found an instance of a
serious UNIX security problem that is too little known to the UNIX
user community.

In mit/config/at386.cf, the definitions

#define DefaultUserPath .:/bin:/usr/bin:/sur/bin/X11:/usr/local/bin
#define DefaultSystemPath .:/bin:/usr/bin:/sur/bin/X11:/usr/local/bin:/etc

appear.  The '.' (current directory) should be deleted from these lines.

WARNING: NEVER put '.' (current directory) first in your path.  

Better yet, don't put '.' in your path at all.  It leaves you
vulnerable to a classic trojan horse: a fake 'ls', or other UNIX
command, in someones directory.  System administrators, consultants,
course instructors, and so forth, are particularly vulnerable to this
ploy.  (A computer science teaching assistant at my campus got zapped
with this recently.)

The insidious nature of this security hole is that only the individual
user can protect him/her-self from attack.  Naturally, in keeping with
the documentation standards of the UNIX community, mention of this
problem does not appear anywhere that ordinary users--or even
ordinary system administators--are likely to encounter it.

----------

To Tom Roell: thank you for the service you have performed for the i386
user community in creating your PD X-server.  As for the fuss over
legality, in the US we have a fake Latin saying:

     "Illigitimi non carborundum est"

which we translate

     "Don't let the bastards grind you down!"




-- 
David L. Rector				drector at orion.oac.uci.edu
Dept. of Math.				U. C. Irvine, Irvine CA 92717



More information about the Comp.unix.sysv386 mailing list