According to Tomasz Wegrzanowski: > > Think of command line arguments, environment variables .. that's > > all 'user input' > > This (command line arguments, environment variables) is > what i checked in manpages.
Never ever trust manpages. Read the source. > But theres nothing about > such things (i though about these when i said userinput > such things as additional scripts etc. would be surely > security holes) There certainly is. For example, the "warning-message" you can specify on the command line. Did you check to see if it perhaps is copied into an internal fixed-size buffer? Which would then easy to overflow? Poof, root shell. Also, argument to "-t" is passed unaltered to "init". Perhaps you can overflow something in init itself that way ? Now, both of the things I mentioned are secure. I checked the source for this. But there might be other exploits, or I might have overlooked something. Really, *never ever* promote some random program to a setuid program without auditing the source extensively. That's the only thing I am trying to get across in this thread. Mike. -- First things first, but not necessarily in that order.
