On Sat, Jun 03, 2006 at 01:35:21PM +0100, mal content wrote:
> % find /home -ls | sort -n +6 | tail -1 | awk '{print $11}'
> /home/joe/just-testing/rc
> % ls -l /home/joe/just-testing/rc
> -rw-r--r-- 1 joe joe 41162685334 Dec 9 10:00 /home/joe/just-testing/rc
> % rm /home/joe/just-testing/rc
> % ls -l /home/joe/just-testing/rc
> ls: /home/joe/just-testing/rc: No such file or directory
> %
>
> The system administrator later discovers, to his surprise, that the
> important
> 16000-byte system file /etc/rc has disappeared. What exactly did joe do?
One possibility is that between the first ls -l and the rm that joe
changed just-testing to a symlink to /etc. However, I think this attack
scenario relies too much on joe's ability to blindly predict when the
sysadmin is about to run rm.
