[BusyBox] [PATCH] init.c include initial environment
ssrat at mailbag.com
ssrat at mailbag.com
Tue Feb 13 21:19:13 UTC 2001
On 13 Feb 2001, at 20:32, Erik Gustavsson wrote:
> There is probably some good reason why the environment is
> discarded before running init scripts, and there is probably a
> better way to do this but I'm posting the patch anyway in case
> someone needs it. (I can't be the only person in the world who
> needs to pass paramters from lilo to my init scripts?)
My understanding is that using environment variables is a good way to
compromise a binary and gain root access to a machine. If you allow
the environment variables to come through, you need to be CERTAIN
that there is nothing that will allow your program to be compromised.
One way I've heard of is by using LD_PRELOAD (an environment
variable) and using libraries that effectively allow an individual to
gain root access - recent programs that use LD_PRELOAD now ignore it
for suid binaries.
There must be other security problems, too, though I don't know much
more than what I've said already.
You also need to watch out for problems with string lengths and so on
(strcpy, etc.), but I don't think there is any problems in the
code.......... is there?
--
David Douthitt
UNIX Systems Administrator
HP-UX, Linux, Unixware
n9ubh at callsign.net
More information about the busybox
mailing list