[13249] in bugtraq
Re: Symlinks and Cryogenic Sleep
daemon@ATHENA.MIT.EDU (John Cochran)
Wed Jan 5 15:46:26 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <200001042046.PAA68478@jdcochran.fiawol.org>
Date: Tue, 4 Jan 2000 15:46:19 -0500
Reply-To: John Cochran <jdc@FIAWOL.ORG>
From: John Cochran <jdc@FIAWOL.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
der Mouse <mouse@RODENTS.MONTREAL.QC.CA> wrote:
> > [symlink-paranoia code]
>
> > However, consider an average setuid root application, [...]. When
> > the application reaches the critical section of code between the
> > lstat and the open, you stop it by sending it a SIGSTOP.
>
> If you can send it a SIGSTOP, either you're running as root (in which
> case you don't *need* to play with symlink races), the application is
> running as you (in which case breaking it buys you nothing), or signal
> delivery is critically broken.
>
> In fact, I suspect that any process you can SIGSTOP, you can attach to
> with ptrace and do whatever you want without need for subtrefuge.
Script started on Tue Jan 4 15:40:55 2000
bash-2.02$ ls -l ./slow
-rwsr-xr-x 1 root nogroup 3170 Jan 4 15:36 ./slow
bash-2.02$ whoami
jdc
bash-2.02$ ./slow &
[1] 68416
bash-2.02$ ps -up 68416
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 68416 0.0 0.2 752 248 p1 S 3:41PM 0:00.01 ./slow
bash-2.02$ kill -STOP 68416
[1]+ Stopped ./slow
bash-2.02$ kill -CONT 68416
bash-2.02$ ps -up 68416
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 68416 0.0 0.2 752 248 p1 S 3:41PM 0:00.01 ./slow
bash-2.02$ kill -9 68416
[1]+ Killed ./slow
bash-2.02$ exit
exit
Script done on Tue Jan 4 15:42:06 2000
