On Fri, 10 Feb 1995, Greg Woods wrote: > Or you can just create a symlink to a setuid script called "-i". Guess > what happens when the system executes "sh -i"? Don't even need the > race condition. And even without this, you could always overwrite the > SAME file with something new, so the fd doesn't change. Attack #1 (symlink -i) fails under solaris. The shell is invoked as: /bin/sh /dev/fd/xxx Attack #2 is only possible if you're dumb enough to leave a setuid program world-writeable. -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com <This is the boring business .sig - no outre sayings here>