Brevis esse laboro, Obscurus fio -- I strive to be brief, and I become obscure.     CEE UCL HelpDesk Homepage
Department of Civil and Environmental Engineering Frank Batten College of Engineering and Technology Old Dominion University Norfolk, Virginia 23529-0241, USA Tel) (757) 683-3753 Fax) (757) 683-5354
Return to CEE UCL HelpDesk Homepage
CEE UCL HelpDesk Access Counter 		 
What's wrong with having '.' in my $PATH setup? 




  




A bit of background: the PATH environment variable is a list of
directories separated by colons. When you type a command name without
giving an explicit path (e.g. you type "ls",
rather than "bin/ls") your shell searches
each directory in the PATH list in order, looking for an executable file
by that name, and the shell will run the first matching program it
finds. It is a usual practice that you define any particular PATHs (in
addition to the system startup default PATHs) in your  dot files.



One of the directories in the PATH list can be the current
directory "." .  It is also permissible to use an empty directory
name in the PATH list to indicate the current directory.  Both of
these are equivalent



For tcsh or csh users:





setenv PATH :/usr/ucb:/bin:/usr/bin

setenv PATH .:/usr/ucb:/bin:/usr/bin





For bash or sh or ksh users:





export PATH=:/usr/ucb:/bin:/usr/bin

export PATH=.:/usr/ucb:/bin:/usr/bin





Having "." somewhere in the PATH is convenient - you can type
"a.out" instead of "/a.out" to run programs in the current
directory.  But there's a catch.



Consider what happens in the case where "." is the first entry in the
PATH. Suppose your current directory is a publically writable one, such
as "/tmp". If there just happens to be a program named "/tmp/ls" left
there by some other user, and you type "ls"
(intending, of course, to run the normal "/bin/ls" program), your shell will instead run
"/ls", the other user's program. Needless to
say, the results of running an unknown program like this might surprise
you.



It's slightly better to have "." at the end of the PATH:



For tcsh or csh users:





setenv PATH /usr/ucb:/bin:/usr/bin:.





For bash or sh or ksh users:





export PATH=:/usr/ucb:/bin:/usr/bin:.





Now if you're in /tmp and you type "ls", the
shell will search /usr/ucb, /bin and /usr/bin for a program named "ls" before it gets around to looking in ".", and
there is less risk of inadvertently running some other user's "ls" program. This isn't 100% secure though - if
you're a clumsy typist and some day type "sl -l" instead of "ls -l", you
run into the risk of accidently running "/sl", if there is one.



Some "clever"(!) programmer could anticipate common typing
mistakes and leave programs by those names scattered
throughout public directories -- Beware.



Many seasoned Unix users get by just fine without having
"." in the PATH at all:



For tcsh or csh users:





setenv PATH /usr/ucb:/bin:/usr/bin





For bash or sh or ksh users:





export PATH=:/usr/ucb:/bin:/usr/bin





If you do this, you'll need to type "/program" instead
of "program" to run programs in the current directory, but
the increase in security is probably worth it.











	

		
		
		
	
		
	
	
	
	
		Return to CEE UCL HelpDesk Homepage

	
	
		Move to the Top of this page