Re: suid script
On Sat, 5 Dec 1998, Jiri Baum wrote:
> The way I remember it is:
>
> 1) kernel opens the file, finds it suid
> 2) kernel executes the shell with that uid
> 3) shell opens the same filename
>
> If some fast file-moving is done between (1) and (3), one can substitute
> something else for the suid script.
>
> Don't forget the user can copy / link a suid script into his home directory.
Ahh, link is the thing I was looking for. Otherwise, the person who made
the suid script would be responsible for the exploit, which wasn't making
sense to me. I think it's probably the kernel that does the open on step
3, but it's no big difference in the point you were making. I wonder how
other unix variants that allow suid scripts do this? Or better question:
are there any? This has been very interesting, thanks for all the info.
Brandon
+--- ---+
| Brandon Mitchell * bhmit1@mail.wm.edu * http://bhmit1.home.ml.org/ |
| Sometimes you have to release software with bugs. - MS Recruiter |
Reply to: