From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 14761 invoked by alias); 12 Dec 2011 07:13:19 -0000 Received: (qmail 14752 invoked by uid 22791); 12 Dec 2011 07:13:17 -0000 X-SWARE-Spam-Status: No, hits=-2.3 required=5.0 tests=AWL,BAYES_00,MISSING_HEADERS,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from mailbackend.panix.com (HELO mailbackend.panix.com) (166.84.1.89) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Mon, 12 Dec 2011 07:13:04 +0000 Received: from panix1.panix.com (panix1.panix.com [166.84.1.1]) by mailbackend.panix.com (Postfix) with ESMTP id 2FA062EEA3 for ; Mon, 12 Dec 2011 02:13:03 -0500 (EST) Received: by panix1.panix.com (Postfix, from userid 19362) id 1301014B8D; Mon, 12 Dec 2011 02:13:03 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by panix1.panix.com (Postfix) with ESMTP id 053D414B5E for ; Mon, 12 Dec 2011 01:13:02 -0600 (CST) Date: Mon, 12 Dec 2011 07:13:00 -0000 From: Tim McDaniel cc: cygwin@cygwin.com Subject: Re: Latest cygwin.bat - need one In-Reply-To: <20111212063131.GE4028@mrvideo.vidiot.com> Message-ID: References: <20111212054801.GD4028@mrvideo.vidiot.com> <20111212063131.GE4028@mrvideo.vidiot.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-IsSubscribed: yes Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2011-12/txt/msg00263.txt.bz2 On Mon, 12 Dec 2011, Mike Brown wrote: > Doing some more digging I found > the following posting (via google): > > > Does changing 'bash' to '/bin/bash' make a difference? > > Answering my own question: yes. > > There was a change in execvp()'s behaviour to no longer look up > an executable in the current working directory, wasn't there? I > can't find it in the ChangeLog though. > > You've got to be kidding. Why was the looking into CWD removed? PATH specifies the list of directories to search for executables. So if execvp() ever used "." unconditionally regardless of PATH, then it violated one of the most long-standing UNIXy rules. It can also be a massive security hole. On a multi-user system, I can put a script named "ls" in /tmp, or other likely directory for others to cd to, to - copy /bin/bash to some location - set the setuid bit and setgid on this copy - run /bin/ls (Bonus points: somehow filter out this nasty ls script if they are looking at /tmp. This is hard.) Anyone foolish enough to put "." near the start of their PATH and who did cd /tmp ls would thereby get their account hacked, and changing their password would do no good. I removed "." from my PATH in the 1980s for just this reason. At least if "." is after standard system directories like /bin /usr/bin, it mitigates the problem to a large extent: it catches only typos and attempts to run programs that you don't have installed. I wonder if there are any common typos to try for. If execvp() ever looked in "." unconditionally, there would be no way to ever completely close this security hole. -- Tim McDaniel, tmcd@panix.com -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple