>>> And what happens if you say /bin/sh instead ?
>> In most cases the user don't have control over what disks are in the
>> machine, isn't it ?
[someone else made a point about floppy and/or cdrom]

> Okay.  Given these concerns, which I admit have a valid point, the
> successful exploit must be rely on the following:

> /tmp being a part of / or being able to write an exploit program to
> somewhere inside the / filesystem as non-root.

No...not the / filesystem, but rather any local filesystem (well, any
local filesystem that can be root - some local filesystem types have no
mountroot capability).  If the attacker can boot with the option to
prompt for init, the attacker can also specify arbitrary root device
and kernel names.  Given this plus attacker write access to any
filesystem the booter is willing to load the kernel from, the game is
lost before "path to init?" even matters.

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B