[13201] in bugtraq
Re: Symlinks and Cryogenic Sleep
daemon@ATHENA.MIT.EDU (Mark A. Heilpern)
Tue Jan 4 15:12:15 2000
Message-Id: <4.2.0.58.20000103173034.00a3c8f0@mail.mindspring.com>
Date: Mon, 3 Jan 2000 17:34:45 -0500
Reply-To: "Mark A. Heilpern" <heilpern@MINDSPRING.COM>
From: "Mark A. Heilpern" <heilpern@MINDSPRING.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000103212443.A5807@monad.swb.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 09:24 PM 1/3/00 +0100, you wrote:
[snip]
>When
>the application reaches the critical section of code between the
>lstat and the open, you stop it by sending it a SIGSTOP. You record
>the device and inode number of your /tmp file, remove it, and wait.
>
>Seconds, days or maybe even weeks later, somebody creates an interesting
>file with exactly the same inode (and device) number as the one you
>used with my setuid program. You now create a symlink in /tmp, pointing
>to that interesting file, and send my setuid application a SIGCONT.
>Zap, there goes the file.
[snip]
>Comments? Suggestions?
Maybe I'm just naive, but it's my understanding that you cannot send signals
to a process you don't own unless you are root.
On my Linux 2.2.13 system, I just tried sending SIGSTOP to a root-owned
and nobody-owned process, and each time was told I was not the process owner.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
iQA/AwUBOHEkBOux2pTVimV9EQKVSACdHQzIwkp1NSFzUzlJjvFqZEgXy3oAoN6h
Hgqn5NkiHaExOJuGwhJVGOy7
=4Ywc
-----END PGP SIGNATURE-----
