Bugtraq mailing list archives

Re: Symlinks and Cryogenic Sleep

From: heilpern () MINDSPRING COM (Mark A. Heilpern)
Date: Mon, 3 Jan 2000 17:34:45 -0500


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 09:24 PM 1/3/00 +0100, you wrote:
[snip]

When
the application reaches the critical section of code between the
lstat and the open, you stop it by sending it a SIGSTOP. You record
the device and inode number of your /tmp file, remove it, and wait.

Seconds, days or maybe even weeks later, somebody creates an interesting
file with exactly the same inode (and device) number as the one you
used with my setuid program. You now create a symlink in /tmp, pointing
to that interesting file, and send my setuid application a SIGCONT.
Zap, there goes the file.

[snip]

Comments? Suggestions?


Maybe I'm just naive, but it's my understanding that you cannot send signals
to a process you don't own unless you are root.

On my Linux 2.2.13 system, I just tried sending SIGSTOP to a root-owned
and nobody-owned process, and each time was told I was not the process owner.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQA/AwUBOHEkBOux2pTVimV9EQKVSACdHQzIwkp1NSFzUzlJjvFqZEgXy3oAoN6h
Hgqn5NkiHaExOJuGwhJVGOy7
=4Ywc
-----END PGP SIGNATURE-----

Current thread:

Symlinks and Cryogenic Sleep Olaf Kirch (Jan 03)
- Re: Symlinks and Cryogenic Sleep Mark A. Heilpern (Jan 03)
  - Re: Symlinks and Cryogenic Sleep Casper Dik (Jan 04)
  - Re: Symlinks and Cryogenic Sleep Olaf Kirch (Jan 04)
  - Re: Symlinks and Cryogenic Sleep Henrik Nordstrom (Jan 04)
- First Telecom E-conso service totally insecure Thomas Quinot (Jan 03)
- Re: Symlinks and Cryogenic Sleep Goetz Babin-Ebell (Jan 04)
  - Re: Symlinks and Cryogenic Sleep pedward () WEBCOM COM (Jan 04)
  - Re: Symlinks and Cryogenic Sleep Christos Zoulas (Jan 04)
  - Re: Symlinks and Cryogenic Sleep Mikael Olsson (Jan 05)
  - Re: Symlinks and Cryogenic Sleep Marc Heuse (Jan 05)
- Re: Symlinks and Cryogenic Sleep Wietse Venema (Jan 04)

(Thread continues...)