Michael Dilger writes: > I tried this attack on /usr/bin/ps and /usr/ucb/ps, and it works on > both of them. This makes me think that more than just solaris 2.x > machines are vulnerable (depending on the /tmp sticky bit). Many things depend on the /tmp sticky bit, ps was just a convenient way to get root. crontab can be attacked to overwrite anyone's cron file when they run 'crontab -e' (Scott, if you think it's worth posting the code for this let me know) and any of the other things that stash files in /tmp can be attacked. Neil. -- nreadwin@micrognosis.co.uk Phone: +1 908 855 1221 x519 Anything is a cause for sorrow that my mind or body has made