Endpoint Administration Guide for UNIX › Protecting Files and Programs › Blocking Trojan Horses with the _abspath Group

Blocking Trojan Horses with the _abspath Group

Any relative path names in the $PATH variable, but particularly the dot (.) path name meaning “current directory,” is a security weakness. Consider the following scenario:

• At the top of the PATH variable for root is the current (.) directory.
• A malicious user creates a destructive program-a Trojan horse-and stores it as /tmp/ls.
• In time, as the malicious user expects, root issues the ls command in the /tmp directory. Instead of running the usual ls command, root actually runs-with full administrative privileges-the Trojan horse that had been stored in the /tmp directory.

To eliminate this security weakness, CA Access Control provides a user group named _abspath. All members of the _abspath group are forbidden to use relative path names in invoking programs.

You can add a user to the _abspath group just as you add one to any other group. Effective at the next login, the user is forbidden to use relative path names when accessing programs.