This is the mail archive of the cygwin@sourceware.cygnus.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Security hole in Cygwin FAQ


The  Cygwin FAQ says:
Shell scripts aren't running properly from my makefiles?

You need to have . (dot) in your $PATH. You should NOT need to add /bin/sh in front of each and every shell script invoked in your Makefiles.

If you need to execute something in the current directory, call for it explicitly, as ./foobar, not as foobar and count on the current directory being in your path.

According to Practical Unix Security, by Garfinkel & Spafford (O'Reilly & Associates), page 152:

The current directory, as designated by a null directory or period, should never be included in the search path.
The reason being that an attacker can put a password-catching program or other malicious program under a commonly-used name, such as ls, su, rlogin, login, ftp, etc. By placing the trojan horse in a place where you might execute it, such as /tmp, or by subterfuge suggested in the book, if "." is in the path, the unsuspecting user will execute the trojan horse instead of the intended program.

The authors recommend:

We strongly recommend that you get in the habit of typing the full pathname of commands when you are running as root.  For example, instead of just typing chown, type /etc/chown to be sure you are getting the system version!  This may seem like extra work, but when you are running as root, you also bear extra responsibility.  No only will this help protect you against changes in your search path, it will also prevent surreptitiously-set aliases from working.
Granted, there isn't much security on Windows. However, you shouldn't reinforce bad practices.

Steve Kelem

begin:vcard 
n:Kelem;Steve
tel;fax:408-399-8905
tel;work:408-335-2718
x-mozilla-html:FALSE
url:http://www.adaptivesilicon.com
org:Adaptive Silicon, Inc.
adr:;;985 University Ave., Suite 31;Los Gatos;CA;95032-7639;U.S.
version:2.1
email;internet:kelem@adaptivesilicon.com
title:Chief Scientist
fn:Steve Kelem
end:vcard

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]