Hi -- Browsing through some archived "bugtraq" messages I discovered a really nifty way to change the effective and real userid of any process running under SunOS 4.1.x (well, at least 4.1.2 and 4.1.3x). That particular hole is demonstrably exploitable under Solaris 2.3 (and I assume Solaris 2.4), except for one little problem.... ... obtaining a pointer to the process's user credentials structure. SunOS 4.1.x was kind enough to supply "pstat", but that's missing under Solaris 2.x. We've been scratching our head trying to find a Solaris utility that would do the same thing, but can't find one. Obtaining the magic address is pretty simple using: kvm_t *kernel; proc_t *ourproc; if (! (kernel = kvm_open(NULL, NULL, NULL, O_RDONLY, argv[0]))) { perror("kvm_open"); exit(2); } if (! (ourproc = kvm_getproc(kernel, pid))) { perror("kvm_getproc"); exit(3); } printf("p_cred = %lx\n", ourproc->p_cred); ... but it won't work without permission to open /dev/kmem. It's probably a good idea to enable the hardware password feature on our Solaris consoles anyway (or is it?), but if there's a program bundled with Solaris that will spit out that address, there's an added reason for doing so. :-) -Scott --- Scott E. Lystig Fritchie, UNIX Systems Manager Academic Computing Center, St. Olaf College 1510 St. Olaf Ave., Northfield, MN 55057 fritchie@stolaf.edu ... 507/646.3407