[lanyard-textile]

Elaborate?? "." has been at the end of my PATH for like 20 years.

[mlrtime]

I could drop a shell script that does something like

echo "lanyard2 ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/lanyard2 ; ls

if you ran ls in my dir, you would give me sudoers access

[lanyard-textile]

If you put . at the end of PATH, isn't it checked last? I would need to have a missing ls installation.

Still viable though for something like rg... Maybe you run it before you install it for the first time on a new machine.

[ahepp]

Just to save the trouble of writing './'?

[lanyard-textile]

Yes??? :)

I'm not the crazy one here! That's a whole two characters on the same side of the keyboard...

[oneeyedpigeon]

How often do you find yourself running executables from the current directory? Is this a daily thing?

[lanyard-textile]

Gamedev! I could run some crazy cmake command to build and run, or I could just bin/build.

[piekvorst]

For my workflow, yes

I don’t think it’s a severe security vulnerability. The same thing can happen with $home/bin.

[ahepp]

I think it's substantially riskier. At the very least, it means you are trusting any directory you cd into, rather than just trusting your $home/bin.

Stuff that would not typically raise eyebrows has been made risky. You might cd into less privileged user's $home, or some web service's data directory, and suddenly you've given whoever had access to those users, access to your user.

Maybe you could argue "well, I just won't cd outside of my $home", but the sheer unexpectedness of the behavior seems deeply undesirable to me.