From owner-freebsd-security  Sun Feb 11 15:23:48 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id PAA07172
          for security-outgoing; Sun, 11 Feb 1996 15:23:48 -0800 (PST)
Received: from zarquon.hip.berkeley.edu (zarquon.HIP.Berkeley.EDU [136.152.93.146])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id PAA07167
          for <freebsd-security@freebsd.org>; Sun, 11 Feb 1996 15:23:45 -0800 (PST)
Received: (from mconst@localhost) by zarquon.hip.berkeley.edu (8.6.12/8.6.12) id PAA13282 for freebsd-security@freebsd.org; Sun, 11 Feb 1996 15:22:21 -0800
Date: Sun, 11 Feb 1996 15:22:21 -0800
From: Michael Constant <mconst@csua.berkeley.edu>
Message-Id: <199602112322.PAA13282@zarquon.hip.berkeley.edu>
To: freebsd-security@freebsd.org
Subject: sliplogin hole?
Sender: owner-security@freebsd.org
Precedence: bulk

This applies to 2.1-RELEASE, which is what I'm running.  Forgive me if
it has been fixed in -current; I haven't seen anything on freebsd-security
about it, though.

The sliplogin(8) manpage recommends using lines of the following form
in /etc/sliphome/slip.hosts:

Sfoo	`hostname`	foo	netmask

The problem with this is that the `hostname` portion is passed directly
to the shell, without any processing -- as root.  This means J. Random
Slip-User can create a script called ~/bin/hostname that does whatever
he wants, and (as long as ~/bin is before /bin in his path) his script
will be run as root the next time he types "sliplogin foo".

		- Michael Constant