McKown, John wrote:
This is a scary article. I don't have a Linux on z system to test it out on.
http://www.catonmat.net/blog/ldd-arbitrary-code-execution/
Oh, jeez, guys.
This is a kid's trick. The victim has to be stupid enough to execute ldd
against
a binary in the scamming user's write permission domain. And it doesn't run
as root when it runs, just as the moron who executed this idiotic command,
ldd ~jwoehr/hacks/bogus_binary
? Keep users who would do such things out of shell access. Let 'em use the
web interface you provide them instead, it's safer that way.
--
Jack J. Woehr # «'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
