> 1. Non-privileged process A running as user Alice creates a file > called /tmp/ipc. > 2. A signals to privileged process B, running as root, that the file exists. > 3. Malevolent process C, running as user Eve, notices the file, > unlinks it (which it can do due to the permissions on /tmp) and > creates a new one in its place with its own preferred contents. > 4. B performs its action on the newly-replaced file contents.
I debated whether I should mention my technique thinking someone might bring up this precise vulnerability. :) My rationale is based on the fact the BetterAuthorizationSample is also vulnerable to a similar attack: some malicious code is running in the background, and at just the right instant replaces the genuine tool with a malicious one, and the malicious tool gets root privileges. Granted, our cases are quite different: mine is completely preventable by using an IPC mechanism that avoids the filesystem, as you mentioned. But alas, I sided with the "if they want it bad enough..." line of thinking. David _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com