On Mon, Apr 08, 2024 at 12:23:38AM +0300, ad...@osrc.rip wrote: > - Looks for list of PIDs started by the user, whether it's started in > terminal or command line, and saves them into $DotShProcessList
> - Takes $DotShProcessList and filters out those that don't have root access. > Those that do are saved into $UserScriptsRunningAsRoot > - Searches for file names of $UserScriptsRunningAsRoot processes in > /home/$USER (aka ~) and save it to $ScriptFiles So your "vulnerability" requires that the attacker has unprivileged access to the system, and locates a shell script which is owned by a second unprivileged user, and for some reason has world write access, and is also currently being executed by root? In that scenario I would say the real problem is that the second user is leaving world-writable files sitting around. If the attacker finds such scripts, they can edit them ahead of time, and simply wait for the second user to execute them via sudo. There's no need to find the script being executed in real time.