On Sat, Jun 03, 2006 at 01:35:21PM +0100, mal content wrote: > % find /home -ls | sort -n +6 | tail -1 | awk '{print $11}' > /home/joe/just-testing/rc > % ls -l /home/joe/just-testing/rc > -rw-r--r-- 1 joe joe 41162685334 Dec 9 10:00 /home/joe/just-testing/rc > % rm /home/joe/just-testing/rc > % ls -l /home/joe/just-testing/rc > ls: /home/joe/just-testing/rc: No such file or directory > % > > The system administrator later discovers, to his surprise, that the > important > 16000-byte system file /etc/rc has disappeared. What exactly did joe do?
One possibility is that between the first ls -l and the rm that joe changed just-testing to a symlink to /etc. However, I think this attack scenario relies too much on joe's ability to blindly predict when the sysadmin is about to run rm.