[OS X TeX] TeXLive 2006 (MacTeX) is not detected...

Victor Ivrii vivrii at gmail.com
Wed Jan 3 10:43:40 EST 2007


On 1/3/07, Franck Pastor <pastor at fusl.ac.be> wrote:
> When I call a command, I don't put a dot before the command, I put
> nothing at all, only the file name. Thanks to this dot in the
> contents of my PATH variable, which means that this file name will be
> searched also in the current directory as well as /usr/bin or /usr/
> ocal/bin.
>
> But according to Herb Schulz, adding "." (the current directory) in
> the contents of my PATH variable could create security gap... Why?
>

Well, if . (current directory) is in the very beginning of your
possible path listings, you are in the real danger because any
executable file named say tex and placed in some directory would be
executed instead of tex if you are here. If . (current directory) is
in the end of your path the danger is reduced but if the malicious
file is called texx and you typed texx by mistake, the effect willl be
the same.

I know the guy who while being high school students used this method
for the teacher who liked to go to home directory of the students to
get listing of files there. No teacher home directory was not erased
but he was getting the screen message that it had been erased. So,
putting any not trusted directories in you path (and any relative path
should not be trusted) is not prudent

-- 
========================
Victor Ivrii, Department of Mathematics, University of Toronto
http://www.math.toronto.edu/ivrii

------------------------- Helpful Info -------------------------
Mac-TeX Website: http://www.esm.psu.edu/mac-tex/
TeX FAQ: http://www.tex.ac.uk/faq
List Archive: http://tug.org/pipermail/macostex-archives/
List Reminders & Etiquette: http://www.esm.psu.edu/mac-tex/list/





More information about the MacOSX-TeX mailing list