>Since starting the shell can take > a finite amount of time, there's a race condition where you can substitute > in a different file for the one that originally spawned the shell. Or you can just create a symlink to a setuid script called "-i". Guess what happens when the system executes "sh -i"? Don't even need the race condition. And even without this, you could always overwrite the SAME file with something new, so the fd doesn't change. --Greg