A Trojan horse is something that looks harmless, or even useful, but that contains a hidden danger.

Consider the following scenario. User John Q. Programmer (login name jprog) is an excellent programmer, and he has quite a collection of personal programs in ~jprog/bin. This directory occurs first in the PATH variable in ~jprog/.profile. Since he is such a good programmer, management recently promoted him to system administrator.

This is a whole new field of endeavor, and John—not knowing any better—has unfortunately left his bin directory writable by other users. Along comes W.M. Badguy, who creates the following shell script, named grep, in John's bin directory:

/bin/grep "$@"
case $(whoami) in                  Check effective user ID name
root)   nasty stuff here           
            Danger Will Robinson, danger!
        rm ~/jprog/bin/grep        Hide the evidence
        ;;
esac

In and of itself, this script can do no damage when jprog is working as himself. The problem comes when jprog uses the su command. This command allows a regular user to "switch user" to a different user. By default, it allows a regular user to become root (as long as that user knows the password, of course). The problem is that normally, su uses whatever PATH it inherits.^[2] In this case, $PATH includes ~jprog/bin. Now, when jprog, working as root, runs grep, he actually executes the Trojan horse version in his bin. This version runs the real grep, so jprog gets the results he expects. More importantly, it also silently executes the nasty stuff ...