> The threat, such as it is, comes from trojan horses. Suppose . is at the
> end of my path, where it usually would be. Say I run a custom program a
> lot called "foo" and store it in my home directory. There's no "foo" in
> the standard system paths, so things work out just fine most of the time.
>
> But if someone knows or guesses that I like to run "foo" and also guesses
> that I might change to /tmp (or some other world-writable directory) and
> type "foo," he can stick his own "foo" in /tmp and wait for me to run it.
are ".history" files set group/world readable on pantheon? if so, why
wouldn't a cracker just look through someones history file and shell
configuration file to figure out what's vulnerable?
if someone wants to attack from outside (say, using IRC and "giving" a
file), as a "CA" as an undergrad I've seen a "given cool file" turn out to
be the shell configuration file (.cshrc) which overwrote the users .cshrc
so that the first thing that would happen after login would be an "invalid
password" message followed by a passwd request (sans user ID!) which
mailed the passwd to the cracker...the user actually fell for it! as I
recall (possibly faulty here, possibly some other hint) we found a high
level of ftp access on the account...we locked out the account and had the
user change their passwd and agree never to do that again...:)
point: there are much easier ways to take advantage of user practices...
> I think the convenience is worth the slight risk, though.
Amen...
Michael
----------------------------------------------------------------------
Michael Osier = michael.osier@yale.edu | "He is not well rounded who does
http://chloe.hgs.yale.edu/~og/ | not have an equally keen interest
BS Biochemical Science - UVM | in all of the things within the
Yale University | compass of painting."
Human Genetics - Og | Leonardo da Vinci