Mark wrote: > Well, if the admin had clamav's ~/.bashrc world-writeable, then that would > indeed be quite an oversight. :)
Someone can correct me if I'm wrong, but I believe the idea here would be to trick *clamav itself* into writing to its ~/.bashrc by setting up a symbolic link in a predictable, world-writable location. The scenario would be this: 1. Target file is locked down. 2. App with necessary privileges will write data to a predictable location that is *not* locked down. 3. Attacker creates a symlink in that location so that the privileged app will inadvertently overwrite the target file. 4. Attacker can either enjoy the chaos, or attempt to manipulate just what the privileged app will write. -- Kelson Vibber SpeedGate Communications <www.speed.net> _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html