From rat@nosferatu.nas.nasa.gov  Thu Jul 18 04:07:15 1996
Received: from nosferatu.nas.nasa.gov (nosferatu.nas.nasa.gov [129.99.50.36]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id EAA01956 for <best-of-security@suburbia.net>; Thu, 18 Jul 1996 04:07:12 +1000
Received: from localhost (localhost [127.0.0.1]) by nosferatu.nas.nasa.gov (8.7.5/8.6.9-rAT) with SMTP id LAA10527; Wed, 17 Jul 1996 11:05:46 -0700 (PDT)
Message-Id: <199607171805.LAA10527@nosferatu.nas.nasa.gov>
X-Authentication-Warning: nosferatu.nas.nasa.gov: Host localhost [127.0.0.1] didn't use HELO protocol
To: "David L. Sifry" <david@sifry.com>
Cc: best-of-security@suburbia.net
Subject: Re: BoS: [Fwd: [linux-security] sliplogin (fwd)] 
From: "Karl F. Schilke" <rat@nas.nasa.gov>
Date: Wed, 17 Jul 1996 11:05:46 -0700
Sender: rat@nas.nasa.gov

"David L. Sifry" writes:
 > without clearing the environment first. Therefore, anybody can get
 > root trivially.

Hello, all.  Excuse my ignorance, but could someone explain to me how 
it's possible to achieve root in this case?  I have looked at the code, 
and see that 'logincmd' is set from a #define'd constant string, which is 
sprintf(3)'d into logincmd[].

Am I missing something obvious here?

	-Karl

---
Karl F. Schilke, Network Research Group     --    Work: 415.604.0939
Numerical Aerodynamic Simulation Facility   --    Page: 415.428.6933
Mail Stop 258/6 - NASA Ames Research Center, Moffett Field, CA 94035