[3492] in bugtraq
Re: solaris 2.4 license-manager bug
daemon@ATHENA.MIT.EDU (Herold Heiko)
Thu Oct 17 06:51:41 1996
Date: Thu, 17 Oct 1996 10:34:09 +0200
Reply-To: Heiko.Herold@dei.unipd.it
From: Herold Heiko <Heiko.Herold@dei.unipd.it>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199610170245.MAA01323@schist.agso.gov.au> from "Jeffrey Howard"
at Oct 17, 96 12:45:01 pm
>
> > Another bug for solaris 2.4
> > The license manager must be running, expect both
> > lmgrd.ste & suntechd to be somewhere in your process table.
...
> Some observations ...
>
> Lock files are created by the lmgrd process for each license daemon
> process it manages when it starts. These lock files are generally owned
> by root, the id under which they were started. If the sticky bit is set
> on the /var/tmp directory, no normal user will be able to remove the
> lock file, thus breaking step 1 of the exploit.
>
> Perhaps there is a window of opportunity if you can create the symbolic
and there is another possibility if root install some program in order
to automtically clean old files from /tmp, /var/tmp and does not pay
attention to root files and such.
--
--- hman@dei.unipd.it --- Heiko Herold --- Ankh-Morpork had dallied
with many forms of government and had ended up with that form of
democracy known as One Man, One Vote. The Patrician was the Man; he
had the Vote. -- Discworld politics explained (Terry Pratchett, Mort)
