It's amazing that this has taken so long to resurface. This is an ancient bug -- see, for example, Henry Spencer's suid man page from 1987 (http://groups.google.com/groups?q=checklist+security+setuid+-linux+group:alt.security&hl=en&scoring=r&selm=1991May14.101450.830%40convex.com&rnum=1 quotes it). The document notes, among other pieces of sage advice, the following: One or more of the standard descriptors might be closed, so that an opened file might get (say) descriptor 1, causing chaos if the program tries to do a .IR printf . I seem to recall the same suggestion in an early document by Jim Ellis and (I think) Tom Truscott, but I can't find a copy at the moment. --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com
This archive was generated by hypermail 2b30 : Tue Apr 23 2002 - 11:52:36 PDT