Re: Pointer to a process's credential structure?

[patrick () oes amdahl com (Patrick Horgan)]

> Hi --
>
> Browsing through some archived "bugtraq" messages I discovered a
> really nifty way to change the effective and real userid of any
> process running under SunOS 4.1.x (well, at least 4.1.2 and 4.1.3x).
> That particular hole is demonstrably exploitable under Solaris 2.3
> (and I assume Solaris 2.4), except for one little problem....

I'd have to think...we used to be able to do this via the prom debugger.
We wouldn't have to know any address ahead of time, but could walk the
kernels tables in the debugger from the prom prompt.  If anyone really
cares I could probably figure it out for Solaris 2, but I'm not sure
of the point.  I'd hope everyone knows that physical security is important,
and that if you don't have it your in deep doo-doo.  

Patrick
   _______________________________________________________________________
  /  These opinions are mine, and not Amdahl's (except by coincidence;).  \
 |                                                       (\                |
 |  Patrick J. Horgan         Amdahl Corporation          \\    Have       |
 |  patrick () amdahl com        1250 East Arques Avenue      \\  _ Sword     | 
 |  Phone : (408)992-2779     P.O. Box 3470 M/S 316         \\/    Will    | 
 |  FAX   : (408)773-0833     Sunnyvale, CA 94088-3470     _/\\     Travel | 
  \___________________________O16-2294________________________\)__________/