Why should not I add current directory to PATH in Linux?

AI Thread Summary
Adding the current directory to the system PATH allows users to execute commands from any directory, but it poses security risks. If a malicious program is placed in the current directory with the same name as a legitimate command, such as "ls," the system will execute the malicious version instead of the authentic one. This can lead to harmful actions, like reformatting a disk or encrypting files, without the user's knowledge. To mitigate this risk, it's advisable to place the current directory (.) at the end of the PATH variable rather than the beginning, ensuring that the system prioritizes legitimate commands in standard directories like /bin or /usr/bin over those in the current directory.
shivajikobardan
Messages
637
Reaction score
54
TL;DR Summary
Why should not I add current directory to PATH in Linux?
1686407676824.png

I get that if I put current directory in PATH like said above, I can execute commands from any directory. But what's the problem in that? How's other person able to come and execute it? Why does it makes system unsecure compared to the case where we don't put current directory to PATH? Can you explain the example he's telling?
 
Technology news on Phys.org
To make his example more explicit, suppose that the directory you're currently in, has a program (put there by some sneaky person) named ls, that reformats your disk, or encrypts it with a secret password, or something like that. You decide to find out what files are in the directory, and type the usual ls command. It runs the sneaky ls instead of the normal ls command which is something like /usr/bin/ls.
 
Reply
  • Like
Likes shivajikobardan
In that example, the system will look in the current directory before looking in /bin or /usr/bin. It will therefore run the dodgy ./ls rather than the authentic /bin/ls. And the malicious user can modify ./ls so it doesn't list itself when imitating the output of /bin/ls.

This can be mitigated by placing . at the end of $PATH rather than the beginning.
 
pasmith said:
In that example, the system will look in the current directory before looking in /bin or /usr/bin. It will therefore run the dodgy ./ls rather than the authentic /bin/ls. And the malicious user can modify ./ls so it doesn't list itself when imitating the output of /bin/ls.

This can be mitigated by placing . at the end of $PATH rather than the beginning.
thank you. I got this now.
 
Thread 'Is this public key encryption?'

Thread 'Is this public key encryption?'

I've tried to intuit public key encryption but never quite managed. But this seems to wrap it up in a bow. This seems to be a very elegant way of transmitting a message publicly that only the sender and receiver can decipher. Is this how PKE works? No, it cant be. In the above case, the requester knows the target's "secret" key - because they have his ID, and therefore knows his birthdate.
View full post »

Thread 'Who is responsible for the software when AI takes over programming?'

I tried a web search "the loss of programming ", and found an article saying that all aspects of writing, developing, and testing software programs will one day all be handled through artificial intelligence. One must wonder then, who is responsible. WHO is responsible for any problems, bugs, deficiencies, or whatever malfunctions which the programs make their users endure? Things may work wrong however the "wrong" happens. AI needs to fix the problems for the users. Any way to...
View full post »

Similar threads

Python Why is a temporary directory created when using the Python library matplotlib?
Replies
9
Views
4K
Troubleshooting CMD: Issue with Running .exe Files Using PATH
Replies
19
Views
4K
Small confusion about redirection in Linux
Replies
10
Views
2K
Mysqld command does not start the MySQL Server
Replies
12
Views
11K
How did early compilers overcome the need for a compiler to compile itself?
Replies
6
Views
2K
Why do many applications come with their own terminal instead of using the native shell?
Replies
3
Views
2K
MinGW/MSYS problem with search path
Replies
2
Views
5K
Lunatic program on Linux and Smaky ?
Replies
1
Views
2K
What do you think of Windows Subsystem for Linux (WSL)?
Replies
12
Views
4K
Requesting suggestions for languages, libraries, and architectures for parallel (and sometimes non parallel) numerical and scientific computations
Replies
8
Views
4K

Hot Threads

Recent Insights

Back
Top