Dan Cross writes: > However, an extremely worthwhile thing to post would be a list of setuid > programs which make use of /tmp and are exploitable in the same manner. setuid is not the issue - any program that creates files in /tmp and reopens them may be vulnerable. That includes basic things like /bin/sh (for << documents), so if root ever runs a shell script then an attack may be possible. If the sticky bit is not set on /tmp then you are toast - end of story. -- nreadwin@micrognosis.co.uk Phone: +1 908 855 1221 x519 Anything is a cause for sorrow that my mind or body has made