Subject: Re: asking for the path to init.
To: None <tech-kern@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 09/20/1999 02:35:46
>> [N]ot the / filesystem, but rather any local filesystem ([...]).  If
>> the attacker can boot with the option to prompt for init, the
>> attacker can also specify arbitrary root device and kernel names.

> Not sure.  Without devices nodes the game is harder.

The attacker-provided kernel doesn't have to be a "normal" kernel.  It
could be little more than fsdb plus enough drivers to talk to the
console and disks.  It could be a perfectly ordinary kernel that runs
off your usual root device - EXCEPT that, say, any process that tries
to open the path "/magic/nonexistent/file"...or close(-31337)...or
whatever...magically gets all its uid values set to zero.

Or whatever.  The possibilities are limited only by the attacker's
imagination and kernel-hacking abilities.  And many of them don't need
device nodes in the usual sense, and many of them use your existing
device nodes but still let the attacker in.

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B