best way to ensure './' is at beginning of sys.path?

Wildman best_lay at yahoo.com
Sun Feb 5 03:01:05 EST 2017 

On Sat, 04 Feb 2017 19:12:55 +0000, Grant Edwards wrote:

> On 2017-02-04, Wildman via Python-list <python-list at python.org> wrote:
>>> 
>>> The next time you are in the /tmp directory looking for something, can
>>> you guess what happens when you mistype "ls" as "sl"?
>>> 
>>>> DOS and Windows has searched the current directory since their
>>>> beginning.  Is that also dangerous?
>>> 
>>> Yes.
>>
>> Your scenario assumes the malicious user has root access
>> to be able to place a file into /tmp.
> 
> Nope.  /tmp is world-writable.

Yea, I realized that right after I clicked post.  I was
thinking of the fact that /tmp is owned by root.
 
>> And there would have to be some reason why I would be looking around
>> in /tmp.  After 10 years of using Linux, it hasn't happened yet.
>> And last I would have to be a complete idiot.
> 
> To have put '.' in your path?

That is something I would never do.  Not because I think
it is dangerous but because it had never occurred to me.
Anything that I run in the current directory, I always
prefix it with './' out of habit.  Never thought of doing
anything else.

> Or to have typed 'sl' by mistake?

Well, maybe not an idiot but something would have to be
going on to misspell a two letter command. <g>

>> I suppose all that could be a reality, but, how many computers do
>> you know of have been compromised in this manor?
> 
> I've known a few people over the years who've been caught by that
> trick.  The "evil" program was always more of a joke and did no real
> harm.

I don't consider that being compromised.  Sure, you
could trick someone into running a program that could
mess with $HOME but that is all.  For anyone, like me,
that makes regular backups, that is not a big problem.
To do any real damage to the system or install a key
logger or some other malicious software, root access
would be required.  As a Linux user you already know
that.  That is the scenario where idiot would be the
correct term.

-- 
<Wildman> GNU/Linux user #557453
The cow died so I don't need your bull!

More information about the Python-list mailing list