Setting the Correct Path

It is important to set your path variable correctly. Otherwise, you can accidentally run a program that was introduced by someone else that harms your data or your system. This kind of program, which creates a security hazard, is referred to as a “Trojan horse.” For example, a substitute su program could be placed in a public directory where you, as system administrator, might run it. Such a script would look just like the regular su command. Since the script removes itself after execution, it is hard to tell that you have actually run a Trojan horse.

The path variable is automatically set at login time through the startup files: .login, .profile, and .cshrc. Setting up the user search path so that the current directory (.) comes last prevents you or your users from running this type of Trojan horse. The path variable for superuser should not include the current directory at all. The Automated Security Enhancement Tool (ASET) examines the startup files to ensure that the path variable is set up correctly and that it does not contain a dot (.) entry.