Ouch! For the record, Shawn initially argued the case _for_ the dot-in-path
to WSS, and I argued the case against. We eventually decided that security
concerns outweigh convenience concerns in this case.
I still think having the current directory in your path is a crappy idea.
And I'm not the only one who thinks so -- for example, Garfinkel and Spafford
say in _Practical Unix and Internet Security_:
"No sensitive account should ever have the current directory in its search
path. This rule is especially true of the superuser account! More
generally, you should never have a ditrectory in your search path that is
writable by other users.
..
Putting the current directory last in the search path is also not a good
idea. For instance, if you use the more command frequently, but sometimes
type mroe, the attacker can take advantage of this by plaicing a Trojan
horse names mroe in this directory."
Again, users always have the option of putting themselves at risk by adding
the . to their system path. Users also have the option of posting their
password on a public web page. Just as it wouldn't be a good policy to have
all user passwords automatically posted on a web page without the users'
knowledge, it's not a good idea to have users exposed to this security problem
by default. This is _especially_ true for beginner users who aren't aware of
the problem to begin with and will be most susceptible to trickery.
imho,
don