On Sat 2009-10-24 10:47:38, psz@xxxxxxxxxxxxxxxxx wrote: > Dear Pavel, > > > ... can you see a way to write to that file when /proc is unmounted? > > While there is legitimate access to do so (after file is created and > before pavel issues 'chmod 700 /tmp/my_priv'), guest to use commands: > > ln /tmp/my_priv/unwritable_file /tmp/hardlink-to-object > > and then use that instead of /proc/self/fd/3, should work same as > original "attack" (and am curious whether 'link counts' shown by > 'ls -l /tmp/my_priv/unwritable_file' are 1 or 2 in each case). You are welcome to try it. link count is 2 for "ln" case and 1 for "/proc" case -- and that's exactly the problem. "pavel" has no chance to know that backdoor exists. Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
