best way to ensure './' is at beginning of sys.path?

[Michael Torrie]

On 02/04/2017 08:19 AM, Wildman via Python-list wrote:
> No, I do not know.  You might try your question in
> a linux specific group.  Personally I don't understand
> the danger in having the dot in the path.  The './'
> only means the current directory.  DOS and Windows
> has searched the current directory since their
> beginning.  Is that also dangerous?

Because of how the DOS and Windows command-line interpreters work it's
slightly less dangerous. That's because a lot of commands are built into
the interpreter.  Commands like dir, type, etc.  So a malicious download
can't really override those with local copies.

In linux, a lot of critical commands are actual programs in the search
path.  Commands like ls, cat, etc.  So if . is in the path, it's far
easier for a malicious download (or script) to place shadow programs in
the current directory that will run when you try to use what you think
is a system command.  If strict user/root separation is maintained, then
the damage can be mitigated somewhat.  Except for something like a
shadow copy of sudo that snags your password, then uses it to execute an
arbitrary script as root using the real sudo.  Game over.