Okay, I must be missing something. > OPERATING SYSTEM(S): > Solaris 2.x (Sunos 5.x) ???? I'm on 2.4 HW 3/95 (plus a bunch of patches of course) and can't find this hole. I'm looking to see if we still have a 2.3 machine around. > DESCRIPTION: > A race condition exists in /usr/bin/ps when ps opens a temporary > file when executed. After opening the file, /usr/bin/ps chown's the > temporary file to root and the renames it to /tmp/ps_data. Well, I can't seem to find the temp files, even while running the exploit. (With a while (1) ls -l ps.* |& grep -v "No match" running.) > WORKAROUND: > chmod +t /tmp If this is the truth. That means all of us *not* running with tmpfs will be affected. There is a bug in the code that the sticky bit works correctly on tmpfs but not on ufs. > unlink ("/tmp/ps_data"); Uhh. On my system this won't work since /tmp/ps_data is 664. Or is this a matter of trying to catch the program twice? > if (!strncmp (dp->d_name, "ps.", 3)) > sprintf (name, "/tmp/%s", dp->d_name); I can't find this tmp file. I've checked the sources and it clearly does create I just haven't been able to catch it. I'll keep trying though. Mostly I wanted to point out the bugs in ufs /tmp with sticky bit on. Ciao, -- Richard Bainter Mundanely | System Analyst - OMG/CSD Pug Generally | Applied Research Labs - U.Texas pug@arlut.utexas.edu | pug@eden.com | {any user}@pug.net Note: The views may not reflect my employers, or even my own for that matter.