Re: Proposal of new group
According to Tomasz Wegrzanowski:
> > Think of command line arguments, environment variables .. that's
> > all 'user input'
>
> This (command line arguments, environment variables) is
> what i checked in manpages.
Never ever trust manpages. Read the source.
> But theres nothing about
> such things (i though about these when i said userinput
> such things as additional scripts etc. would be surely
> security holes)
There certainly is. For example, the "warning-message" you can specify
on the command line. Did you check to see if it perhaps is copied into
an internal fixed-size buffer? Which would then easy to overflow?
Poof, root shell.
Also, argument to "-t" is passed unaltered to "init". Perhaps you
can overflow something in init itself that way ?
Now, both of the things I mentioned are secure. I checked the source for
this. But there might be other exploits, or I might have overlooked
something.
Really, *never ever* promote some random program to a setuid program
without auditing the source extensively. That's the only thing I
am trying to get across in this thread.
Mike.
--
First things first, but not necessarily in that order.
Reply to: