On Tue, 30 Jul 2002, Andrew Pimlott wrote: > If he is smart, he will check whether the file is open (eg with fuser) > before removing it. So your attack does require an administrator > mistake. Not really. The file does not have to be open to be present in the system. It is prefectly possible to leave a dangling root-owned file several times, so that the administrator can do very little to determine where it came from. The attack itself requires the file to be open, but it can happen long after the administor started removing this file routinely. > However! There appears to be an attack that does not require any > administrator action. Appears to be true, good point. -- _____________________________________________________ Michal Zalewski [lcamtuf@bos.bindview.com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
