On Linux up to 1.2.11 (and probably 1.3.x too) the FIOSETOWN ioctl on sockets allows sending a SIGURG to any process. Before I post a program to exploit it (yes, I have one) here is a kernel patch to fix this: ---------- diff -urN v1.2.11/linux/net/inet/af_inet.c linux/net/inet/af_inet.c --- v1.2.11/linux/net/inet/af_inet.c Tue Jun 13 15:18:50 1995 +++ linux/net/inet/af_inet.c Wed Jul 5 16:00:19 1995 @@ -1260,6 +1260,7 @@ { struct sock *sk=(struct sock *)sock->data; int err; + int tmp; switch(cmd) { @@ -1268,7 +1269,11 @@ err=verify_area(VERIFY_READ,(int *)arg,sizeof(long)); if(err) return err; - sk->proc = get_fs_long((int *) arg); + tmp = get_fs_long((int *) arg); + /* see inet_fcntl */ + if (current->pid != tmp && current->pgrp != -tmp && !suser()) + return -EPERM; + sk->proc = tmp; return(0); case FIOGETOWN: case SIOCGPGRP: ---------- This is against 1.2.11 but older versions should patch cleanly. There was a similar hole with the F_SETOWN fcntl, fixed long time ago, but no one noticed the same problem with the FIOSETOWN ioctl even though both do the same thing (set sk->proc which is the pid to send a SIGURG to when there is some new TCP OOB data). Exploit program coming soon - it wasn't really hard to write :) Marek