Why should not I add current directory to PATH in Linux?

In summary, adding the current directory to the $PATH variable can lead to security vulnerabilities, as it allows malicious users to execute potentially harmful commands from the current directory. This can be mitigated by placing the current directory at the end of $PATH rather than the beginning. This was demonstrated in the example given, where a sneaky ls command in the current directory was executed instead of the authentic one in the /bin directory.
  • #1
shivajikobardan
674
54
TL;DR Summary
Why should not I add current directory to PATH in Linux?
1686407676824.png

I get that if I put current directory in PATH like said above, I can execute commands from any directory. But what's the problem in that? How's other person able to come and execute it? Why does it makes system unsecure compared to the case where we don't put current directory to PATH? Can you explain the example he's telling?
 
Technology news on Phys.org
  • #2
To make his example more explicit, suppose that the directory you're currently in, has a program (put there by some sneaky person) named ls, that reformats your disk, or encrypts it with a secret password, or something like that. You decide to find out what files are in the directory, and type the usual ls command. It runs the sneaky ls instead of the normal ls command which is something like /usr/bin/ls.
 
  • Like
Likes shivajikobardan
  • #3
In that example, the system will look in the current directory before looking in /bin or /usr/bin. It will therefore run the dodgy ./ls rather than the authentic /bin/ls. And the malicious user can modify ./ls so it doesn't list itself when imitating the output of /bin/ls.

This can be mitigated by placing . at the end of $PATH rather than the beginning.
 
  • #4
pasmith said:
In that example, the system will look in the current directory before looking in /bin or /usr/bin. It will therefore run the dodgy ./ls rather than the authentic /bin/ls. And the malicious user can modify ./ls so it doesn't list itself when imitating the output of /bin/ls.

This can be mitigated by placing . at the end of $PATH rather than the beginning.
thank you. I got this now.
 

Similar threads

Why is a temporary directory created when using the Python library matplotlib?
    • Programming and Computer Science
Replies
9
Views
3K
Troubleshooting CMD: Issue with Running .exe Files Using PATH
    • Computing and Technology
Replies
19
Views
2K
Small confusion about redirection in Linux
    • Programming and Computer Science
Replies
10
Views
1K
Mysqld command does not start the MySQL Server
    • Programming and Computer Science
Replies
12
Views
9K
Why do many applications come with their own terminal instead of using the native shell?
    • Programming and Computer Science
Replies
3
Views
420
How did early compilers overcome the need for a compiler to compile itself?
    • Programming and Computer Science
Replies
6
Views
1K
What do you think of Windows Subsystem for Linux (WSL)?
    • Computing and Technology
Replies
12
Views
3K
Lunatic program on Linux and Smaky ?
    • Programming and Computer Science
Replies
1
Views
2K
Requesting suggestions for languages, libraries, and architectures for parallel (and sometimes non parallel) numerical and scientific computations
    • Programming and Computer Science
Replies
8
Views
2K
MinGW/MSYS problem with search path
    • Programming and Computer Science
Replies
2
Views
5K

Hot Threads

Recent Insights

Back
Top