Andrew Pimlott <[EMAIL PROTECTED]> wrote:
> > > If he is smart, he will check whether the file is open (eg with fuser)
> > Not really. The file does not have to be open to be present in the system.
> > It is prefectly possible to leave a dangling root-owned file several
> > times,
> Correct, but:
Michal Zalewski wrote:
>The First instance of chfn is still holding an open descriptor to
>/etc/ptmptmp, which later became /etc/ptmp - and, if we send SIGCONT
>to this process, will be renamed to /etc/passwd. Step 3 will fall
>through because there is no error checking, and new in
On Tue, Jul 30, 2002 at 09:59:36AM -0400, Michal Zalewski wrote:
> On Tue, 30 Jul 2002, Andrew Pimlott wrote:
>
> > If he is smart, he will check whether the file is open (eg with fuser)
> > before removing it. So your attack does require an administrator
> > mistake.
>
> Not really. The file d
On Tue, 30 Jul 2002, Andrew Pimlott wrote:
> If he is smart, he will check whether the file is open (eg with fuser)
> before removing it. So your attack does require an administrator
> mistake.
Not really. The file does not have to be open to be present in the system.
It is prefectly possible t
On Mon, Jul 29, 2002 at 10:51:50AM -0400, Michal Zalewski wrote:
>the administrator will most likely add "rm -f /etc/ptmp" or
>equivalent to his crontab
If he is smart, he will check whether the file is open (eg with
fuser) before removing it. So your attack does require an
administrator