bash-1.14.7-16 searches the CWD even if it is not in $PATH, when there are two consecutive colons in the $PATH value or the PATH strings ends with a colon. Examples : PATH="/bin:/usr/bin:/usr/local/bin" is OK PATH="/bin:/usr/bin:/usr/local/bin:." includes CWD , is OK PATH="/bin:/usr/bin::/usr/local/bin" includes CWD , BUG ! PATH="/bin:/usr/bin:/usr/local/bin:" includes CWD , BUG !
A guy from the bash-bug mail list says that this is intended and I discovered that tcsh behaves the same. But on redhat 6.0 when the root starts an xterm ( or a kterm or gnome-term, I don't remember ) in and KDE ( or GNOME ) session, he has the CWD implicitly ( due to this "bug" ) in his PATH, but not when logging on /dev/tty1 . Having CWD in PATH is a security problem, especialy for root and if the fact is "hidden" by this "bug".
It is not a bug, and you don't end up with a "broken" PATH (with two colons or a colon at the end) unless you edit .bashrc, .bash_profile or the likes to change your PATH.
Not sure if it's related, but the version of RedHat 6.0 distributed on the cover of Linux Answers magazine will install a system where every user (including root) gets a PATH that BEGINS with a colon. Does that cause the same problem? Memory says that the path given to root on such installations is as follows: PATH=:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11/bin ^ +--- That's the miscreant... Comments?