On Tue, Jul 30, 2002 at 09:59:36AM -0400, Michal Zalewski wrote: > On Tue, 30 Jul 2002, Andrew Pimlott wrote: > > > If he is smart, he will check whether the file is open (eg with fuser) > > before removing it. So your attack does require an administrator > > mistake. > > Not really. The file does not have to be open to be present in the system. > It is prefectly possible to leave a dangling root-owned file several > times, so that the administrator can do very little to determine where it > came from. Correct, but: the admin should still verify that it is not open before deleting it (in his cron job). IOW, when the file is present but not open, the admin has no way to trace it, but at least removing it is harmless. When the file is present and open, the clever admin will not only foil your exploit (by not removing the file), but find the culprit (via fuser). Maybe this is assuming too much prescience from the admin, but I don't think so. After all, an open /etc/ptmp could well be involved in a legitimate chfn, and the admin wouldn't want to disrupt that. Andrew
