Subject: Re: asking for the path to init.
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 09/17/1999 13:13:07
>>> And what happens if you say /bin/sh instead ?
>> In most cases the user don't have control over what disks are in the
>> machine, isn't it ?
[someone else made a point about floppy and/or cdrom]

> Okay.  Given these concerns, which I admit have a valid point, the
> successful exploit must be rely on the following:

> /tmp being a part of / or being able to write an exploit program to
> somewhere inside the / filesystem as non-root.

No...not the / filesystem, but rather any local filesystem (well, any
local filesystem that can be root - some local filesystem types have no
mountroot capability).  If the attacker can boot with the option to
prompt for init, the attacker can also specify arbitrary root device
and kernel names.  Given this plus attacker write access to any
filesystem the booter is willing to load the kernel from, the game is
lost before "path to init?" even matters.

					der Mouse

		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B