On Sat, 5 Dec 1998, Jiri Baum wrote: > The way I remember it is: > > 1) kernel opens the file, finds it suid > 2) kernel executes the shell with that uid > 3) shell opens the same filename > > If some fast file-moving is done between (1) and (3), one can substitute > something else for the suid script. > > Don't forget the user can copy / link a suid script into his home directory.
Ahh, link is the thing I was looking for. Otherwise, the person who made the suid script would be responsible for the exploit, which wasn't making sense to me. I think it's probably the kernel that does the open on step 3, but it's no big difference in the point you were making. I wonder how other unix variants that allow suid scripts do this? Or better question: are there any? This has been very interesting, thanks for all the info. Brandon +--- ---+ | Brandon Mitchell * [EMAIL PROTECTED] * http://bhmit1.home.ml.org/ | | Sometimes you have to release software with bugs. - MS Recruiter |
