Comments by "Lawrence D’Oliveiro" (@lawrencedoliveiro9104) on "Want To Run A Script? Remember The Dot Slash (./) !" video.

  1. You can put “.” in your $PATH variable to avoid this, if you want. In the early days of Unix, this was done as standard. Then it was realized what a security hole it could be, so nowadays it is not done as standard, and it is not recommended that you add it.
    24
  2. Putting “.” at the end doesn’t protect against, say, accidentally invoking a malicious command whose name is a common typo of a real command. That’s why it was considered too dangerous to have it in the $PATH at all.
    2
  3. “Chance” ... heh-heh. Maybe it’s not a machine you control, so you don’t know who else has been given access. Or you are just one of the administrators of an installation for a large company. Maybe a user account has been compromised. Maybe it’s your job to find out! There is a certain charming naïveté among those who only have experience with Microsoft Windows ...
    2
  4. Another case of Microsoft trying to copy a Unix feature and getting it wrong. On Unix/Linux, every directory that is searched has to be explicitly included in in the $PATH list; leave out “.”, and it will not be searched. Microsoft thought it would be extra helpful and hardcoded “.” into the search algorithm, whether it appears in $PATH or not. And so we are left with yet another unfixable Windows security hole.
    2
  5.  @kira64xyz  Hint: that’s where the “multiuser” part comes in.
    1
  6. There seems to be a lack of understanding of the security implications of this. It has to do with a malicious user tricking you into setting your default directory to one that they control. So they put a program in it with the same name as some system command, and when you type the name of that command, you unwittingly run their malicious version instead. This is why, in the Unix world, the dropping of “.” from the default $PATH was first done for root, and only later extended to all users. But of course, the way Microsoft chose to implement it made it impossible to make this simple fix in their OS.
    1
  7. It’s quite plain that those who have no experience of multiuser systems would not understand this.
    1
  8. What more can I say? If you don’t understand that “another user” means there is more than one user on the same system, and that means it’s a multiuser system, with all that that implies, then how do you make the security issues clear to someone who has never used such a system?
    1
  9. What a pity so few Windows users will discover this, since they are all conditioned to hate the command line.
    1