Bugtraq mailing list archives
Re: Symlinks and Cryogenic Sleep
From: heilpern () MINDSPRING COM (Mark A. Heilpern)
Date: Mon, 3 Jan 2000 17:34:45 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 09:24 PM 1/3/00 +0100, you wrote: [snip]
When the application reaches the critical section of code between the lstat and the open, you stop it by sending it a SIGSTOP. You record the device and inode number of your /tmp file, remove it, and wait. Seconds, days or maybe even weeks later, somebody creates an interesting file with exactly the same inode (and device) number as the one you used with my setuid program. You now create a symlink in /tmp, pointing to that interesting file, and send my setuid application a SIGCONT. Zap, there goes the file.
[snip]
Comments? Suggestions?
Maybe I'm just naive, but it's my understanding that you cannot send signals to a process you don't own unless you are root. On my Linux 2.2.13 system, I just tried sending SIGSTOP to a root-owned and nobody-owned process, and each time was told I was not the process owner. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQA/AwUBOHEkBOux2pTVimV9EQKVSACdHQzIwkp1NSFzUzlJjvFqZEgXy3oAoN6h Hgqn5NkiHaExOJuGwhJVGOy7 =4Ywc -----END PGP SIGNATURE-----
Current thread:
- Symlinks and Cryogenic Sleep Olaf Kirch (Jan 03)
- Re: Symlinks and Cryogenic Sleep Mark A. Heilpern (Jan 03)
- Re: Symlinks and Cryogenic Sleep Casper Dik (Jan 04)
- Re: Symlinks and Cryogenic Sleep Olaf Kirch (Jan 04)
- Re: Symlinks and Cryogenic Sleep Henrik Nordstrom (Jan 04)
- First Telecom E-conso service totally insecure Thomas Quinot (Jan 03)
- Re: Symlinks and Cryogenic Sleep Goetz Babin-Ebell (Jan 04)
- Re: Symlinks and Cryogenic Sleep pedward () WEBCOM COM (Jan 04)
- Re: Symlinks and Cryogenic Sleep Christos Zoulas (Jan 04)
- Re: Symlinks and Cryogenic Sleep Mikael Olsson (Jan 05)
- Re: Symlinks and Cryogenic Sleep Marc Heuse (Jan 05)
- Re: Symlinks and Cryogenic Sleep Wietse Venema (Jan 04)
(Thread continues...)
- Re: Symlinks and Cryogenic Sleep Mark A. Heilpern (Jan 03)