Ok.. got all your attention there? It's not as bad as it looks ;) But there _is_ a /tmp race in /usr/src/linux/scripts/Configure, as used by make config (which is, IMHO, obsoleted by make menuconfig): if [ -f $DEFAULTS ]; then echo "#" echo "# Using defaults found in" $DEFAULTS echo "#" . $DEFAULTS sed -e 's/# \(.*\) is not.*/\1=n/' < $DEFAULTS > /tmp/conf.$$ . /tmp/conf.$$ rm /tmp/conf.$$ else File is created and sourced. What more could you wish? And to exploit you'll have from start of script to this point to catch it and create a fifo in /tmp. You know the rest (think GCC symlink exploit): get whatever it puts into the fifo and give it back with a little extra, like creating suid shell in /tmp. Greetz, Peter. ------------------------------------------------------------------------------ 'Selfishness and separation have led me to . Peter 'Hardbeat' van Dijk to believe that the world is not my problem . network security consultant I am the world. And you are the world.' . (yeah, right...) Live - 10.000 years (peace is now) . peterat_private ------------------------------------------------------------------------------ 2:08am up 1 day, 12:05, 6 users, load average: 1.10, 1.18, 1.17 ------------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:21 PDT